Operational Risk Management: Transitioning from Compliance to PerformanceAssessing the results of the Global State of Operational Risk Management Survey conducted by Operational Risk & Regulation magazine and Protiviti

12014 Global State of Operational Risk Management Survey

INTRODUCTION

Financial services firms are well aware of the heightened political and regulatory pressure on them to be more risk aware and proactive in measuring and managing their risks. Although the financial crisis is reaching its seventh anniversary, the fallout continues in the form of punitive fines for past indiscretions and continuously evolving regulatory guidance.

Since the global financial crisis, regulatory change has been an almost constant issue in the financial services industry. Operational risk has been at the heart of many of the recent enforcement actions, and yet regulations specifically governing operational risk management were largely overlooked by regulators in the years immediately after the crisis hit. That has recently changed, however. In 2014, the U.S. Federal Reserve and the U.S. Office of the Comptroller of the Currency (OCC) both published enhanced risk management standards for large banks to follow. The Federal Reserve issued Enhanced Prudential Standards for Bank Holding Companies and Foreign Banking Organizations that set out broad-based risk management and corporate governance requirements for large banks,1 while the OCC released its “Heightened Standards for Large Financial Institu-tions” specifically aimed at strengthening the governance and risk management practices of large financial institutions.2 In June 2015, the European Banking Authority (EBA) issued its final draft regulatory technical standards (RTS) on assessment methodologies for the use of Advanced Measurement Approach (AMA) models for operational risk.3 Finally, the Basel Committee on Banking Supervision (BCBS) issued a consultation paper on its intended revisions to the simpler approaches to the operational risk capital framework4 (see sidebar on page 3 for further details on these regulatory changes).

The result of these regulatory changes has been additional pressure on financial services firms to strengthen further their operational risk management capabilities and processes. Organizations with strong operational risk programs are starting to reap the business benefits of implementing more advanced risk management practices. Predictive key risk indicators (KRIs), stronger and more efficient operational processes, as well as more emphasis on identifying thematic risks combined with a strengthening of the control environment, are helping firms gain real value out of going beyond compliance with these heightened risk management standards.

Looking Ahead

A further step forward will be for firms to develop an integrated and agile risk management framework, which merges the needs of business management and risk management into a single framework, process and taxonomy with clear first and second line accountabilities. Central to the concept of agile risk is the premise that, since managing risk is for the intended benefit of the business, it makes sense for the business, risk, compliance and internal audit to work within a common framework with clear accountabilities that will lead to an aligned organization making sound decisions.

In 2005, Protiviti conducted an extensive survey of operational risk management (ORM) profes-sionals during the nascent phase of the introduction of operational risk as a new risk discipline.

1 www.gpo.gov/fdsys/pkg/FR-2014-03-27/pdf/2014-05699.pdf.2 www.occ.treas.gov/news-issuances/news-releases/2014/nr-occ-2014-4a.pdf.3 www.eba.europa.eu/documents/10180/1100516/EBA-RTS-2015-02+RTS+on+AMA+assesment.pdf/dfb43549-0bb2-4974-

8c3b-a99da7cf983c.4 www.bis.org/publ/bcbs291.pdf.

2 2014 Global State of Operational Risk Management Survey

The survey found that even though operational risk was gaining acceptance by the business, it had far to go in linking ORM performance to the performance of the firm. Fast forward 10 years, and Protiviti has conducted a similar survey of risk management executives and managers in financial services firms, again in conjunction with Operational Risk & Regulation magazine, in response to recent developments in the regulatory space, and to compare and contrast both sets of results to assess what progress firms have made in the ORM space over the past decade.

KEY FINDINGS AND SURVEY DEMOGRAPHICS

Key Findings

• Operational risk professionals are working to contribute value to the business and are having a greater influence on business activities, albeit through the presentation of evidence rather than exercising authority.

• There is an emphasis on improving the operational risk management capabilities of the first line of defense, which is identified as being the least mature in terms of risk management.

• The breadth of ORM professionals’ responsibilities has expanded and is expected to continue to do so, putting pressure on resources, most noticeably staffing levels, which could impact ORM’s influence to credibly challenge the business.

• ORM data quality needs significant improvement for it to be used as input for strategic decision making.

• Although firms are improving their risk appetite metrics and risk culture programs, professionals need to ensure their ORM fundamentals, specifically risk data quality and data governance, are strong.

Survey Demographics

The data referenced in this white paper leverage the results from the survey conducted by Opera-tional Risk & Regulation magazine, sponsored by Protiviti, in 2014. All of the survey participants had experience with ORM programs, with more than half describing their role as “operational risk officer/manager.” The majority reported that their organizations have maintained an ORM program for seven or more years. More than 65 percent of respondents work for banks, with the rest associated with insurers, asset management firms, brokerages and fund managers.

Of the 205 respondents, 97 indicated that they had responsibility for the United States (US), 113 for the European Union (EU) and 56 for Asia-Pacific (APAC).5 As such, this report outlines a number of regional trends and differences in the appendix, though overlapping responsibilities limit the ability to isolate the influence of regulatory and other pressures specific to these three regions.

5 These figures do not add up to the 205 stated since some respondents have responsibility for more than one region.

32014 Global State of Operational Risk Management Survey

Regulatory Change Impacting Operational Risk Management

US Regulators Act on Operational Risk

In February 2014, the Federal Reserve issued Enhanced Prudential Standards for Bank Holding Companies and Foreign Banking Organizations that sets out broad-based risk management and corporate governance requirements for banks with assets of more than $50 billion. The standards state that a firm’s risk management frameworks must be commensurate with its structure, risk profile, size and complexity and must include: policies and procedures establishing risk management governance, risk management practices, risk control structure for global operations, and processes and systems for implementing and monitoring compliance with risk management policies and procedures. The standards go into greater detail on the requirements for firms to establish risk committees, including enterprisewide risk committees.6

The OCC followed in September 2014 with the release of final guidelines specifically aimed at strengthening the governance and risk management practices of large financial institutions. Divided into two sections, the OCC guidelines set out the minimum standards for the design and implementation of a bank’s risk management framework, which the OCC states should be based on “the three lines of defense”; the second section sets the criteria for the bank’s corporate governance.

EU Issues Final Operational Risk Standards

In June 2015, the European Banking Authority (EBA) issued its final “Regulatory Technical Standards (RTS) on assessment methodologies for the use of Advanced Measurement Approach (AMA) models for operational risk,”7 which specifies the qualitative and quantitative requirements financial institutions are required to meet before they can be granted permission to use AMA internal models to calculate their capital requirements for operational risk. They also set out common standards for the supervisory assessment of a bank’s operational risk governance with respect to the roles and responsibilities of the operational risk management function and the reporting system. Notably, the RTS clarify the scope of operational risk, as well as the scope of operational risk loss, the treatment of fraud losses in the credit area and the perimeter of credit risk events.

International Regulatory Developments

An emerging regulatory development is the Basel Committee on Banking Supervision’s (BCBS) revised standardized approach for measuring operational risk capital, which could further impact the ORM sector if adopted by the various national regulators.8 The revisions replace the existing three simple approaches – the Basic Indicator Approach (BIA), the Standardized Approach (TSA) and the Alternative Standardized Approach (ASA) – with a single simple approach. They have replaced the TSA betas with a set of new size-based, regulatory coefficients and have eliminated gross income (GI) as an indicator, introducing a new measure, the Business Indicator (BI), which comprises three macro-components of a bank’s income statement. The paper also includes preliminary guidance for introducing a boundary range or capital floor for ORM capital, as well as a quantitative model based on bank-internal loss data called the Operational risk Capital-at-Risk (OpCaR) model. The consultation period closed in January 2015 but the BCBS has yet to issue a final paper on these revisions. There are concerns that smaller firms are being pulled into the AMA space, which could happen due to the predicted increase in capital requirements caused by the new coefficients (the approach starts with a 10 percent capital coefficient and increases to a very steep 30 percent dependent on the income of the institution, which is a large jump from the TSA top rate beta of 18 percent). This is an emerging situation but it is yet another regulatory change on the horizon of which ORM managers need to be aware.

6 A Protiviti white paper and Flash Report analyze the specifics of the enhanced risk management standards. These publications may be found at www.protiviti.com.

7 www.eba.europa.eu/documents/10180/1100516/EBA-RTS-2015-02+RTS+on+AMA+assesment.pdf/dfb43549-0bb2-4974-8c3b-a99da7cf983c.

8 www.bis.org/publ/bcbs291.pdf.

4 2014 Global State of Operational Risk Management Survey

UNDERSTANDING THE VALUE OF ORM

The enduring challenge for operational risk managers is to demonstrate where operational risk information is influencing business decisions positively and adding that all-important value to the bottom line.

According to the survey, operational risk activities are adding to business value in a broad variety of ways. While they are still contributing to the fundamentals of operational risk management by analyzing risk and control self-assessments (RCSAs), understanding the business environment and internal control factors (BEICFs) and improving the general overall control environment, the foremost response was that operational risk program activities were enhancing the risk culture of the firm (52 percent).

Of the core operational risk program activities, what are the top three in terms of contributed business value?

0 10 15 20 25 30 35 40 45 50 55

Enhancing the risk culture of the firm 52%

Analyzing risk and control self-assessment results

Improving the control environment of the firm

Forming an understanding of the business environment and internal control factors

Gathering, measuring and analysis of internal losses

Facilitating the capital allocation process and resulting capital charge

Using “near miss” loss data and performing root cause analysis

Cascading risk appetite down to business lines and process levels

Establishing and regularly using a challenge process

Aligning the firm's strategy with operational risk

Using scenario analysis for consideration of emerging and extreme risks

Using external loss data

GrowingIn Need of Development

44%

44%

41%

33%

23%

20%

12%

12%

9%

7%

1%

A Decade of Change

This is a different picture from 10 years ago. In the 2005 Protiviti Global Financial Services Industry Operational Risk Survey, nearly all respondents said that operational risk information was used by management to support risk assessments and internal audit activity (93 percent), with over half confirming that operational risk information was used in the new product approval process. Both of these management activities were explicitly defined in the Basel II Accord document and the Bank of Institutional Settlements guidelines on operational risk as recommended practices.

One in five respondents in 2014 (20 percent) stated that their activities are aligning the firm’s strat-egy with operational risk to help guide business decisions, whereas in the 2005 survey, 45 percent of respondents stated that operational risk information was used in strategic planning. And elsewhere

52014 Global State of Operational Risk Management Survey

in the 2014 survey, where respondents were asked to list their three key challenges for keeping pace with organizational change, the third highest response was that there is a lack of operational risk consideration in business planning processes.

Comparing the survey results from 2005 and 2014 provides insight into how operational risk management has evolved since those early days following the introduction of Basel II. As detailed later in the paper, those changes are most apparent in staffing levels and the broader scope of responsibilities for operational risk managers.

The data also highlights a number of areas where further value might be added in the future. Establishing and regularly using a challenge process is a fundamental facet of an independent risk function. Presently, however, the survey suggests that only 12 percent of financial services firms consider this to be in the top three operational risk processes that add business value. Similarly, using lessons learned from losses, whether they be internal (33 percent of all responses), near misses (9 percent) or external (1 percent), should be considered an essential element of an operational risk framework, yet the survey results suggest that they currently do not add significant value.

Historically, it has been assumed that implementing an operational risk framework will automati-cally add value. These results suggest that this might not necessarily be the case. Perhaps a different paradigm for putting a framework into practice is required; one that considers not just the require-ments of the process, but also gives significant consideration prior to rollout as to how best to implement and run the process in a manner that adds value to the business. This can be a function of individual company cultures and, as such, may be different from company to company or even from business line to business line.

Building Business Knowledge

All operational risk managers need to have a fundamental understanding of the function of the first line of defense to enable them to deliver true business value. ORM professionals must understand clearly how business lines deliver products and services to customers; how they set goals that align with broader strategic objectives; and how they mobilize teams (e.g., roles and responsibilities; risk governance) across the organization to realize their goals. In our experience, these are frequently the most common opportunities for improvement for operational risk cited by business executives outside of ORM functions.

In the new operating environment, where firms are under intense regulatory scrutiny, business line professionals and the supporting functions are expected to be more than simply proficient in their roles. Business line managers need to embrace a more expansive view of their responsibilities, and avoid risk taking that may be inconsistent with their firm’s overall business objectives. ORM professionals also need to improve their understanding of business strategies, initiatives and activi-ties – especially given the importance of aligning ORM activities with the objectives of individual business lines. In short, “checking the box” is no longer an option.

Creating Business Value

ORM professionals are locked in what seems like an interminable struggle to establish their value as “revenue keepers” and “business enablers” rather than as cost centers. Within revenue-generating business lines, it is easier to quantify value contributed to the business. But in the case of support functions such as ORM, value delivery is both a measure of impact and the quality of the process that delivers that impact.

6 2014 Global State of Operational Risk Management Survey

When asked what were the top challenges facing the operational risk function in keeping pace with organizational change, the majority of respondents reported a general lack of appreciation of the ORM function – a finding based on the fact that one in five operational risk profession-als indicated management undervalues their role. This finding is noteworthy not because it is a groundbreaking revelation, but rather because it is a troublesome trend that continues in the face of persistent operational risk loss events, increased reputational risk and intensified regulatory scrutiny.

ORM professionals do seem to be having greater success in influencing business activities than in years past, as demonstrated by the fact that respondents point to their enterprisewide influences as key value drivers – such as enhancing the risk culture of the firm and improving the control envi-ronment. However, questions remain on whether this is, indeed, a move to operational risk manag-ers having more substantial influence on business decisions as part of a greater cultural change within organizations, or if these survey results show only superficial influence or are part of the risk “theater,” as discussed below.

Influencing Business Outcomes

Having a strong ORM framework requires internal stakeholders to have an informed debate about an organization’s business objectives. And whenever this discussion is taking place, it is critical to: 1) have the right people at the table, 2) include the best information for why certain decisions and resulting activities are proposed, 3) discuss the associated risks, and 4) use tools such as the components of an operational risk framework (internal and external loss data, RCSAs and KRIs and scenario analysis) to inform the discussion.

Does operational risk management have the ability to independently stop business decisions?

0 10 15 20 25 30 35 40

No, but operational risk offers opinions on businessdecisions for line of business consideration

Yes, however the line of business has the ability to acceptthe risk and continue their course of business

Yes, has authority and in all instances the decision is final

Yes, has authority and has stopped one or morebusiness decisions in the last 12 months

No, operational risk does not haveinvolvement in line of business decisions

13%

3%

33%

31%

10%

No response 10%

ORM professionals are increasingly invited to have a seat at the table – though their collective voice is still somewhat muted. This raises a question: Are we witnessing real risk management or “risk theater”? ORM practitioners who were surveyed indicated that they influence business outcomes through the presentation of evidence rather than exercising authority over business deci-sions – with many respondents saying that their ability to influence decisions has been impaired. When ORM functions make recommendations, business units often continue forward while accepting the risks involved. Hence, for most operational risk managers, credibly challenging deci-sions is the silver bullet.

72014 Global State of Operational Risk Management Survey

Risk Communication Is a Primary Tool

While operational risk managers exert influence on decisions through ongoing reporting, some points of influence are more mature than others. The survey asked participants to rank the follow-ing types of operational risk reporting based upon their level of maturity: board, risk committee, line of business, country-specific and information technology. Of the five areas, risk committee reporting is considered to be the most mature, with 40 percent of respondents ranking it first. It was followed by board reporting with 26 percent, line of business reporting with 20 percent, infor-mation technology with 9 percent and country-specific reporting with 4 percent.

Primary information components of firms’ operational risk profile reports

0 10 15 20 25 30 35 40 45 50 55 60 65 70

Organization does not produce anoperational risk profile report

5%

58%Operational loss data trends − amount of losses

Operational loss data trends − number of events 50%

Significant external loss events at peers 22%

Top risks requiring management's attention 67%

Operational risk events impacton strategic objectives

24%

Mitigation plans to reducethe operational risk profile

43%

Risk appetite 46%

Key risk indicators 57%

Relationship to other risks(e.g., credit, market, strategic)

8%

Reputational risks (i.e., these are reported withinthe operational risk profile)

33%

Vendor risk management 24%

Operational risk program effectiveness 35%

Assesses past issues and trendsAssesses future issues and trends

Operational risk profiles are the most important reporting instrument because they consolidate a wide range of information. The majority of respondents pointed to three key elements of these profiles: top risks requiring management’s attention (67 percent), operational loss data trends (58 percent) and key risk indicators (57 percent). More specific information components are also widely included, with risk appetite indicators (46 percent) and mitigation plans (43 percent) being cited by close to half of the respondents.

8 2014 Global State of Operational Risk Management Survey

Who completes the RCSAs?*

0 10 15 20 25 30 35 40

Corporate operational risk

Operational risk personnel aligned to business units

Business unit personnel

Internal audit

34%

30%

9%

1%

Other 3%

* Not shown in chart: “No response”

RCSAs are another important risk reporting measure, especially since they are forward-looking tools intended to bring ORM to the line-of-business level. Even though the results show that 34 percent of respondents state that RCSAs are completed by business unit personal, a higher amount (39 percent) state that RCSAs are more commonly completed by operational risk specialists residing in the business lines or in the corporate function. It is encouraging that risk managers are involved with RCSAs, though there are also issues associated with the business line not taking sufficient ownership of the process and content. When properly designed and executed, RCSAs proactively identify operational risks (rather than loss events), assess a firm’s exposure, evaluate the control environment, and ultimately facilitate risk mitigation. However, if the first line of defense – the “risk owner” – is the least involved in completing the RCSA, the results may not have the integrity to inform business decisions.

ORM professionals need to become better communicators with the business. However, they do not need to rely solely on official risk reporting tools to achieve this – indeed, more informal meetings or discussions with business line providers could be more effective ways of improving understand-ing of operational risk and, in turn, increasing ORM professionals’ knowledge of the business line’s own requirements. Varying business lines will also likely prefer different communication methods. It is in the interest of the operational risk manager to understand which mechanisms work best.

92014 Global State of Operational Risk Management Survey

CONSIDERATION OF THE THREE LINES OF DEFENSE

Solid Skillset Across the Three Lines of Defense

According to the survey results, the first line of defense is considered the lowest performing in terms of the adequacy of its ORM risk skillset and performance. This is not to say that its perfor-mance is bad; 68 percent of respondents rated it “3” or higher on a 5-point scale, with 35 percent rating it “4” or more. The second line of defense (the ORM function itself) considers itself to be, by far, the strongest area, with 87 percent of all respondents rating their skills and performance as “3” or higher and 64 percent “4” or higher. The third line of defense (internal audit) is also consid-ered to have a strong skillset, with 73 percent of respondents rating it “3” or higher and 49 percent rating it “4” or higher.

How adequate is the skillset and performance of your institution’s operational risk management personnel in the different functions?*

0 10 15 20 25 30 35 40 45 50 55 60 65 70

4%

33%22%

First line of defense35%

Second line of defense 23%64%

Executive management 31%10%

49%

36%11%

40%Board members

23%15%

50%Third line of defense

Very high/highNeutralVery low/low

* Responses provided on a scale of 1 to 5, with 5 defined as “very high” and 1 defined as “very low.” The percentages of “no response” answers are not shown.

It should be noted that these results are impacted slightly by bias since more than half of the respondents to this survey are from the second line of defense. That notwithstanding, the results are perhaps demonstrative of a supposed lack of engagement of the first line of defense from the second line’s perspective, which is an oft-commented frustration of operational risk managers. A small proportion of respondents (19 percent) highlighted their perceived lack of effective interac-tion with the first line of defense when asked to list their three key challenges for keeping pace with organizational change. Still, the reality remains that the second and third lines of defense cannot be truly effective without a strong commitment to ORM by business line leaders and managers.

10 2014 Global State of Operational Risk Management Survey

Strengthening ORM Capabilities

While firms have made considerable enhancements to their risk management frameworks since the financial crisis, there is still more work to be done. Among respondents, the top activities aimed at improving the ORM capabilities of the first line of defense include identifying high-risk processes, products and systems; analyzing and refining control environments; and increasing access to ORM training.

These top responses, specifically identifying high-risk processes, products and systems, are basic blocking and tackling activities for operational risk managers. Even after two decades, the fact that two-thirds of respondents say that they are focused on improving such a basic building block of any ORM program is surprising and demonstrates how much work still needs to be done to move ORM to a more advanced level.

0 10 15 20 25 30 35 40 45 50 55 60 65

Identifying high-risk processes, products and systemsfor monitoring and testing 65%

Analyzing and refining control environments

Undertaking operational risk management training

Discussing regulatory findings in greater depth withcommitment to remediating identified areas of improvement

Aligning operational risks with corporateand/or business line objectives

Introducing meaningful financial impacts tocompensation packages

Establishing credible challenge processes

Allocating more resources to operational risk capabilities

Applying operational risk management techniquesto decision-making activities

Requesting more and/or higher qualityoperational risk reporting information

56%

39%

37%

30%

30%

20%

13%

8%

2%

What are the top three activities that the first line of defense is doing to improve operational risk management capabilities?

ORM professionals must continue their efforts to demonstrate value to the firm while enhancing their understanding of business line objectives and strategic initiatives. These twin goals are neces-sary for any firm that wants to ensure its ORM framework continues to influence business objec-tives while supporting critical and organizationwide initiatives.

With increased pressure to meet regulatory expectations, the reality is that many ORM profes-sionals spend the majority of their time simply trying to keep pace with the increased demands. However, even small measures can have a big impact. For example, firms should improve their risk reporting to include details such as common issues applicable to multiple products, an analysis of root cause and proposals for comprehensive fixes. Further, more direct communication among the three lines of defense can be instrumental in helping the second line of defense improve its business knowledge and simultaneously break down silos – particularly during critical activities such as new product approval committees or system design.

112014 Global State of Operational Risk Management Survey

EXPANSION OF ORM RESPONSIBILITIES

Building Risk Knowledge

It is critical for businesses to have sufficient risk management expertise to successfully manage and mitigate the potentially harmful consequences of errors and organizational weaknesses. Essential elements include ensuring firms establish a robust taxonomy that categorizes risks and that the ORM framework defines risk appetites and thresholds. As previously mentioned, ORM profession-als need to understand the business fully – the first line of defense – to be able to learn and adapt risk concepts to business situations. This was named by survey respondents as the foremost characteristic required of an operational risk professional.

On an individual basis, ORM professionals must also seek to continually improve their understand-ing of the ever-changing risk landscape. Building and maintaining this risk knowledge (identified by 53 percent of survey respondents as being the most important characteristic of operational risk professionals) needs to be viewed as a process rather than a goal. In light of myriad operational risks – both known and unknown – that firms face, ORM and business line professionals will not be able to identify, capture and measure every single risk. It is, therefore, more instructive to think of risk knowledge as a journey with a series of intervening stops. But to the extent possible, there should be a concerted effort to continually learn and adapt risk concepts to business situations, while improving communication to ensure risk resiliency.

Most important characteristics of operational risk professionals

0 10 15 20 25 30 35 40 45 50 55 60 65

Ability to learn and adapt risk conceptsto business situations

61%

Communication skills

Risk knowledge

Line of business knowledge

Breadth of enterprise knowledge

Specific risk area knowledge,e.g., fraud or business continuity risk

Relationships within the organizationsufficient to cut across boundaries

Pure aptitude and intelligence

60%

53%

42%

32%

21%

15%

15%

ORM to Assume Greater Responsibility

Risk knowledge has become even more essential as the regulatory environment has been evolving at a rapid pace, with no signs of abating. Maintaining regulatory compliance will require ORM professionals to assume a greater number of responsibilities – a trend we originally identified in our 2005 ORM survey. Nearly two-thirds of respondents to our 2014 study said the breadth of their responsibilities has expanded and 23 percent believe it has broadened substantially.

12 2014 Global State of Operational Risk Management Survey

With operational risk requirements expected to expand over the next few years, senior manage-ment must think long and hard about how best to allocate resources. Over the years, we have seen numerous instances in which resource constraints are the principal limitation impeding ORM’s ability to meet future expectations. As noted below, the survey results suggest that staffing at firms is either inadequate today (43 percent in total) or will become so if more responsibilities are added to the operational risk function (26 percent).

Chief executives and business leaders have a very different view, however. Large financial institu-tions have invested millions of dollars to comply with risk management requirements over the past two decades, with little return – at least from a CEO perspective. Operational risk breaches continue to happen and have been increasing in frequency and size since the global financial crisis hit. As a whole, the financial services industry is weary of expending ever more resources on risk management projects without any real evidence that risks are being avoided. This is the premise of Protiviti’s Agile Risk Management Framework.

Credible Challenge Limited by Staffing Levels

In order for ORM to contribute to the ongoing dialogue over aligning risk taking with business objectives, having an adequate level of competent staff is a prerequisite. Further, access to resources is a key driver of ORM performance, especially in light of the expected expansion of ORM respon-sibilities over the next few years. Although close to half of survey respondents (46 percent) say their staffing numbers are currently adequate, only 20 percent said this will continue to be so even if responsibilities increase. The most common response (33 percent) is that the ORM function has “not quite enough staff.”

How would you describe the number of staff at your operational risk function?

0 10 15 20 25 30 35 40

Adequate, and confident that it will continue to beso even if responsibilities increase

20%

Adequate, but unsure we could copewith more responsibilities

26%

Not quite enough staff 33%

Number of staff completely inadequate 10%

No response 11%

Inadequate headcount was also identified as a problem in the 2005 survey, but it has to be remembered that was during the early days when firms were only starting to establish their ORM departments. In our 2005 paper, we stated that ORM functions ran on a much smaller staffing model than market or credit risk disciplines, which “rely heavily on dedicated individuals to be actively part of the execution of a risk management program as well as to formulate risk policy.” It can be argued, and as demonstrated by the 2014 results, that ORM is beginning to contribute to the risk policy of the firm, specifically in areas like risk culture and risk appetite.

The average size of the ORM team in 2005 was between one and five staff members. In 2014, 56 percent of respondents stated that less than 25 full-time employees were dedicated to the opera-tional risk function, 10 percent had between 25-49 staff members, and 15 percent had between 50-99 full-time employees.

132014 Global State of Operational Risk Management Survey

IMPROVING ORM FUNDAMENTALS

Risk Data Needs to Be Improved

One of the key obstacles to effective decision-making is lacking the right data. Survey respondents across regions have indicated that data quality is another area where ORM practitioners see signifi-cant room for improving risk knowledge. Overall, data governance and validation processes are the most common improvement initiative, but several other aspects are identified, including root cause analysis, and the use of data taxonomies and high-quality data sources and elements.

What steps is your organization taking to improve operational risk data?*

0 10 15 20 25 30 35 40 45 50

Quantifying control environment results 37%

Utilizing capacity effectively 18%

Investing in technology to capture and monitor real time data 30%

Building data governance and validation practices 45%

Defining quality data sources and elements 37%

Implementing predictive analytics 11%

Conducting root cause analysis immediately 37%

Improving data taxonomies and naming conventions 37%

Defining risk data aggregation techniques 22%

Other 6%

* Multiple responses permitted.

On a global basis, firms need to decide on the optimal mix of backward- and forward-looking inputs for decision-making and assessing the soundness of an ORM framework. For example, our research shows that the majority of ORM professionals who were surveyed predominantly use internal audit reports (i.e., backward-looking data) to gain confidence in the strength of the control environment. More forward-looking processes, such as monitoring KRIs and assessing specific processes, tied for second place (about 45 percent each) as ways to meet this goal. Independent testing of the control environment is the least common activity, cited by 29 percent of respondents.

14 2014 Global State of Operational Risk Management Survey

What activities does operational risk management perform to gain confidence in the strength of the control environment?

0 10 15 20 25 30 35 40 45 50 55 60

Reviews internal audit reports and issues

Monitors business testing results

Monitors KRIs targeting the control environmentdesign and operating effectiveness

Assesses specific processes

Independently tests the control environment

60%

45%

44%

36%

29%

Increasing ORM IQ

Effectively capturing and measuring risk exposures is a prerequisite for building and dispersing risk knowledge. Those firms that struggle with incomplete or incompatible data and management information systems will find it exceedingly difficult to reconcile risk metrics and have a holistic view of exposures across business lines, not to mention the enterprise.

Capturing the right data and metrics, and then being able to communicate across the three lines of defense, will help drive convergence and transform the process for setting risk appetites. Going forward, while firms should continue leveraging insights from audit reports, they should also think more seriously about using independent testing of the control environment. For example, while operational risk data is often backward-looking in nature, by collecting quantifiable and predictable metrics over time, firms can use these data as indicators and potentially gain greater insight into the likelihood of operational risk events. This would improve firms’ ability to have a more real-time and forward-looking posture.

152014 Global State of Operational Risk Management Survey

LINKING RISK TO BUSINESS

As the three lines of defense increase both their business and risk knowledge, the process of priori-tizing the relative importance of risks necessary to be managed to achieve business objectives must ultimately follow. For example, by fully understanding the critical services that are outsourced to vendors, ORM professionals may be better equipped to anticipate and mitigate potential risks. The added benefit in this scenario is that ORM may be able to provide the business line with valuable risk mitigation strategies during the planning phase rather than post execution.

Risk Appetite Metrics

A core element of enterprise risk management is aligning risks undertaken by the business lines with the risk appetite of the firm, an activity that varies substantially among business lines. Recent-ly, increased attention has been given by firms to create operational risk-specific appetites to help link risks to businesses. In fact, our study found that, where risk appetites specific to ORM have been created, this has been done for either a significant number of business lines (29 percent) or a few business lines (6 percent). Another 35 percent of respondents said that this process is in initial or ad hoc phases, while only 6 percent said it has not been addressed at all.

Is an operational risk-specific risk appetite implemented throughout the organization?

0 10 15 20 25 30 35 40

Defined for a significant number of business lines 29%

Don’t know/no answer 24%

Initial 23%

Ad hoc 12%

Defined for a few business lines 6%

None 6%

Among respondents who have established specific operational risk appetite metrics, these imple-mentations have been limited to areas where risk appetite is easiest to quantify. Operational risk losses are the most common metric (54 percent), followed by fraud metrics, which have been adopted by one-third of the organizations surveyed (33 percent). Appetite for more complex risks is much less likely to be quantified, with model risk at the bottom of the list, having been established by only 8 percent of respondents.

16 2014 Global State of Operational Risk Management Survey

Do you have operational risk appetite metrics established for the following?*

0 10 15 20 25 30 35 40 45 50 55 60 65 70

20%Process management

18%Issue management

15%Change management

19%People management

8%Model risk

11%Litigation

28%Business resiliency

20%Vendor management

24%New products

31%Operational risk profile

30%Regulatory risk

33%Fraud

Operational risk losses 54%

Reputational risk 23%

* Multiple responses permitted.

Developing a Holistic View of Operational Risk

Going forward, perhaps the most difficult but necessary challenge for an operational risk frame-work is bringing together its key elements – internal loss data, external loss data, scenario analy-sis, KRIs and RCSAs – in such a way that a more comprehensive view of a firm’s operational risk profile is developed. The overall framework needs to become greater than the sum of its parts.

Rather than implementing each piece and assuming – or even hoping – that the pieces fit together to give a holistic perspective, it might be better to take a step back and reflect upon what opera-tional risk practitioners are attempting to be and achieve – in other words: 1) strategic advisers to a firm’s management for setting risk appetite and allocating capital; and 2) independent agents to set consistent standards for risk management.

By starting with the end in mind, one might then begin to consider how the pieces of an operational risk framework could be brought together to accomplish these goals. The lessons learned from implementing such elements over the past several years should stand practitioners in good stead; understanding what works and what does not with regard to the individual parts of the framework should allow them to be put together in the most effective way. Any gaps that might subsequently arise should be more identifiable, allowing them to be addressed in a manner that drives the process toward achieving the holistic view.

172014 Global State of Operational Risk Management Survey

Carrying out such a re-evaluation, and its subsequent implementation, might be difficult given the need to balance the increasing requirements arising from the U.S. regulators’ Heightened Standards and Enhanced Prudential Standards against the current level of resources identified in the survey (only 20 percent of respondents consider their number of staff to be “adequate, and confident that it will continue to be so, even if responsibilities increase”). Pushing to build an operational risk framework that provides a holistic view should also produce a product that clearly adds value to the business.

As a result, and despite the apparent current pressure on staffing, firms should consider creating a dedicated team to undertake the re-evaluation work. Having the resources to carry out their current tasks while also expecting them to work on re-engineering the existing framework might be too much to ask.

ORM and Compliance Integration

Credibly challenging business decisions requires appropriate coordination between the ORM and compliance functions. The survey results suggest that the majority of organizations represented in the survey treat ORM and compliance as separate functions. About 40 percent of respondents say that compliance is included as an operational risk management component during the normal course of business. When asked directly about the degree of integration between the two, 56 percent said they are separate functions.

That being said, there appears to be significant alignment between the two functions in most organizations. Nearly half of all respondents (42 percent) said that they seek to leverage some activities between the ORM and compliance functions. Only 14 percent reported they are completely separate, with another 19 percent noting that they are “thoughtfully aligned” but not well integrated.

Some larger financial institutions understand how they are able to leverage some of the tools and methodologies used by both ORM and compliance functions. Many benefits and efficiencies can be realized by aligning certain areas, such as risk and control assessment programs, business line monitoring, and second line of defense testing, which tend to use the same tools and assess-ment methodologies.

What is the relationship between the operational risk function and the compliance function?

0 10 15 20 25 30 35 4540

Don’t know/no answer 9%

42%Separate functions but seek to leverage some activities

12%Significantly integrated

4%Completely integrated

14%Completely separate functions and activities

19%Thoughtfully aligned functions but not well integrated

18 2014 Global State of Operational Risk Management Survey

Where the operational risk function should sit has been debated since the early days of ORM’s development as a distinct risk function. It has been suggested in the past that ORM should sit within the compliance department or that both the compliance and the ORM function should sit under the chief risk officer. When the Basel II Accord was first introduced, operational risk managers were keen to differentiate ORM from compliance to ensure a better understanding of the discipline, particularly on the front line, but this was not always easy. In the 2005 survey, respondents stated that ORM functions in larger institutions (30 percent) were likely to have responsibility for Sarbanes-Oxley compliance. This is unsurprising since most new ORM professionals were brought in from areas such as internal audit (55 percent of respondents to the 2005 survey were previously internal auditors) and financial control (27 percent) that would have had the skills to help oversee SOX compliance, which was still relatively new.

Fast forward to today: With multi-billion dollar fines becoming commonplace, firms are refocus-ing their efforts on expanding and strengthening their compliance departments as well as their risk management capabilities. In some cases, operational risk and compliance departments are being merged within risk or are reporting into the same manager. There is the sense that compliance is being considered as a regulatory risk function, which sits under the risk function, allowing firms to align ORM and compliance more easily since they are both risk disciplines.

Operational risk professionals have struggled for more than 10 years to ensure the definition of operational risk is separate from compliance. There have been a few periods in the past where the compliance and operational risk teams have been merged and then separated again depending on the economic environment. The pendulum appears to be swinging back in the other direction again. There are many opportunities for ORM and compliance to be more efficient by being more aligned, specifically in obvious overlaps such as RCSAs and compliance risk assessments. Moreover, many incidents that are ultimately categorized as regulatory risk or fines/penalties/enforcement actions have been initially created by operational risk issues – such as not following policy, or customer service trying to do the perceived right thing for an individual customer and creating a violation of law. Boundary issues such as these were highlighted following the subprime crisis, which had a significant operational risk component.9

9 The EBA RTS AMA paper addresses boundary issues between credit risk and operational risk, see: www.eba.europa.eu/documents/10180/1100516/EBA-RTS-2015-02+RTS+on+AMA+assesment.pdf/dfb43549-0bb2-4974-8c3b-a99da7cf983c.

192014 Global State of Operational Risk Management Survey

FUTURE ORM PRIORITIES

Fostering a Mature Risk Culture

As the survey has shown, at many firms, ORM is making inroads in helping the business enhance the risk culture at the firm and aligning the firm’s strategy with operational risk.

A fundamental requirement of any strong ORM program is fostering a “no-blame” culture within the organization in order for firms to perform the basic task of compiling their operational risk data losses on which to base capital calculations, manage the risks in those areas identified, as well as address scenario planning to mitigate future risks. ORM professionals are leveraging those skills to the wider organization to enforce that commitment to enhancing a strong risk culture. Successful CROs know that improvement of policies and processes continuously over time comes from recog-nizing that a successful organization learns from its mistakes, which means mistakes should be shared across the company and acted on to deepen the institutional memory. Positive risk cultures are stimu-lated further through an enterprisewide commitment to excellence, not protocols for punishment.10

Of the following, please select the top three priorities for actions to be taken by management over the next 12 months

0 10 15 20 25 30 35 40 45 50

Improving components of the operational risk program

Information security risk, including cyberthreats

Data management

Compliance risk

Business continuity/resiliency

Financial crime management

Model risk

IT infrastructure to support operational risk management

Vendor risk

20%

15%

2%

13%

4%

8%

6%

12%

1%

5%

8%

44%

40%

35%

32%

20%

20%

18%

First Choice Total

10 Read further insights from Protiviti on risk culture in Establishing and Nurturing an Effective Risk Culture: Enabling the Chief Risk Officer’s Success at www.protiviti.com/en-US/Documents/White-Papers/Risk-Solutions/CRO-Series4-Establishing-and-Nurturing-an-Effective-Risk-Culture-Protiviti.pdf.

20 2014 Global State of Operational Risk Management Survey

Priorities for the Future

The process for subjecting business decisions to a risk management sense check need not be oner-ous. In fact, many firms already have the necessary tools at their disposal. Audit reports, back testing results, limit breaches and internal loss data are all valuable resources. Risk appetite and tolerances are key tools for firms to articulate their risks to the board and the rest of the organization to provide clarity on the enterprise’s appetite for risk, which can also help to drive cultural change and maintain strategic focus.11

In order to better understand how firms are applying lessons from the past to the future, we surveyed risk management professionals about their priorities going forward. Among respondents, improving components of the operational risk program is top of mind (44 percent), followed by information security (40 percent), data management (35 percent) and compliance risk (32 percent). Improving the components of the ORM program and cyber risk were the highest first choice priorities for survey respondents, taking 20 percent and 15 percent of the first choice vote, respectively. Even though data management ranked third overall, only 2 percent of respondents consider it to be their first choice priority, whereas compliance risk remains a high first choice priority with 13 percent of the vote.

Aside from the survey data presented here, the biggest priority in the coming year for ORM departments is expending time and resources for improving components of their operational risk frameworks, which includes the continued development and improvement of operational risk toler-ances and operational risk appetite. Again, these are basic blocking and tackling moves for ORM professionals, but the emphasis is on keeping those fundamental ORM tools as strong and as robust as possible to ensure a high level of risk mitigation.

11 Protiviti has published extensively on the subject of risk appetite – see Defining Risk Appetite and Driving Risk Appetite, both of which are available at www.protiviti.com.

212014 Global State of Operational Risk Management Survey

IN CLOSING

In the past two decades since the introduction of ORM as a discipline, there has been a sea change not only in how operational risk is regarded, but also in the business environment. Though it goes without saying that change is constant, there are few who could have predicted the radical change that is taking place across the financial services sector. From cyber threats to more stringent regula-tions, ORM is not for the faint of heart.

In order to be ready to face these 21st century challenges, firms need to make sure that their three lines of defense work more symbiotically – particularly in respect to gaining business and risk knowledge, linking risks to business, credibly challenging decisions, and applying learning lessons to the future.

As previously highlighted, the next step for ORM is to become more closely aligned with the business, as well as compliance and internal audit, to create a more flexible framework where they can leverage skills, methodologies, processes and knowledge. This will develop a more proactive risk management framework that works with the business and is more efficient in its use of resources. Operational risk management is centered on the sound management of processes, people and systems – essentially the building blocks of any business. ORM should, therefore, be at the heart of the this new “agile” risk framework, working with its peers in compliance, risk, audit and the business lines to create a stronger, risk-aware and compliant organization that can navigate the tougher financial and economic environment with confidence.

22 2014 Global State of Operational Risk Management Survey

APPENDIX

Regional Observations

Of the 205 respondents to the 2015 ORM Survey, 97 indicated that they had responsibility for the United States (US), 113 for the European Union (EU) and 56 for Asia-Pacific (APAC).12 This appendix comprises survey results that outline a number of regional trends and differences, though as previously noted, the overlapping responsibilities of ORM professionals limit the ability to isolate the influence of regulatory and other pressures specific to these three regions.

Notable Regional Findings

• Regulators are putting pressure on all regions to improve business environment and internal control factors, or BEICFs.

• All regions consider the first line of defense to be the weakest in terms of ORM skillsets and performance.

• US, EU and APAC regions have very different priorities for the improvement of data quality.

• All regions agree that reviewing internal audit reports is the most important ORM activity for strengthening confidence in the control environment.

• US respondents report staffing shortages more frequently than other regions, whereas most EU respondents believe their ORM staff levels to be adequate. Nearly one-third of APAC respon-dents, on the other hand, believe their ORM programs are falling behind, with 76 percent expecting their ORM responsibilities to broaden.

12 These figures do not add up to the 205 stated since some respondents have responsibility for more than one region.

232014 Global State of Operational Risk Management Survey

Top Pressure Areas from Regulators

Respondents responsible for all three major regions agree that BEICFs is the area where they are experiencing the most pressure from regulators to improve, but US respondents are disproportion-ately likely to say that operational risk reporting is also a major concern. EU respondents, on the other hand, are about as likely to point to operational risk models as BEICFs.

US

EU

APAC

Top pressure areas from regulators

62%

54%76%

31%

51%34%

44%

40%50%

46%

35%32%

61%

45%45%

23%

37%29%

Business environment and internal control factors

Operational risk model

Internal data

KRIs

Operational risk reporting

Scenario analysis

External data

13%

13%16%

24 2014 Global State of Operational Risk Management Survey

Skills and Performance of ORM Personnel

On a regional basis, respondents with responsibility for all three major regions are in agreement that the first line of defense is the weakest, with less than half of respondents rating it in the top two on a scale of five in terms of adequacy. Similarly, there is general agreement among the three groups that the second line of defense is the strongest, with approximately four out of five respondents rating the function as adequate. The only significant variance between regions is in the area of executive management, where EU respondents have less confidence than their US and APAC counterparts.

US

EU

APAC

Adequacy of the skillset and performance of ORM personnel Percentage of respondents rating function in top 2 of 5

44%

38%38%

First line of defense

51%

49%50%

Board members

63%

52%63%

Executive management

58%

56%52%

Third line of defense

77%

80%77%

Second line of defense

252014 Global State of Operational Risk Management Survey

Improving ORM Data

On a regional basis, it is interesting to note that respondents in the US, EU and APAC regions have different priorities for the improvement of data quality. In particular, improving data taxonomies and naming conventions stands out as a higher priority for respondents with US responsibilities. Conversely, defining quality data sources and elements, quantifying control environment results and immediate root cause analysis are all carried out more frequently by APAC respondents. The only step taken more frequently by EU respondents is utilizing capacity effectively, which is implemented more than twice as often as any other region.

Steps taken to improve operational risk data

EUUS APAC

65%

55%57%

Building data governance and validation practices

46%

46%52%

Quantifying control environmental results

37%

28%38%

Defining risk data aggregation techniques

62%

42%48%

Improving data taxonomies and naming conventions

42%

39%52%

Conducting root cause analysis immediately

21%

15%31%

Implementing predictive analytics

52%

48%60%

Defining quality data resources and elements

39%

32%38%

Investing in technology to capture and monitor real time data

13%

32%14%

Utilizing capacity effectively

26 2014 Global State of Operational Risk Management Survey

Strengthening Confidence in the Control Environment

There is general agreement among respondents with responsibilities in the three major regions that reviewing internal audit reports is the most important ORM activity for strengthening confidence in the control environment. Nearly as many APAC respondents believe that the assessment of specific processes is also critical. In fact, operational risk professionals based in APAC attribute higher importance to all of the ORM activities included in the survey as part of their efforts to build confidence.

US

EU

APAC

ORM activities to strengthen confidence in the control environment

86%

81%92%

Review internal audit reports and issues

62%

60%79%

Assessments of specific processes

62%

49%69%

Monitor KRIs targeting the control environment design and operating effectiveness

30%

31%38%

Independent testing of the control environment

41%

45%46%

Monitor business testing results

272014 Global State of Operational Risk Management Survey

Staff and Resources

Staffing shortages are reported more frequently by respondents who are responsible for the US than by counterparts in other regions, with nearly half (46 percent) saying they have “not quite enough staff” and an additional 17 percent calling their staffing “completely inadequate.” Conversely, nearly twice as many EU respondents believe their OR staff levels to be adequate even if responsibilities increase compared to other regions.

In spite of these staffing constraints cited by US respondents, they appear to be keeping pace with organizational changes, with only 21 percent saying they are falling behind, and 7 percent indicating that they are actually staying ahead of ongoing changes. Nearly one-third of APAC respondents, on the other hand, believe their ORM programs are falling behind. This is signifi-cant given that more than three-quarters of APAC respondents (76 percent) also believe that ORM responsibilities will broaden in the near future.

US

EU

APAC

Adequacy of staffing numbers at the operational risk function

46%35%37%

Not quite enough staff

25%

23%39%

Adequate, but unsure we could cope with more

responsibilities

12%

29%17%

Adequate and will continue to be even if responsibilities

increase

17%13%

7%

Number of staff completely inadequate

28 2014 Global State of Operational Risk Management Survey

ABOUT PROTIVITI

Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. Protiviti and our independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies.

Named one of the 2015 Fortune 100 Best Companies to Work For®, Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

About Our Financial Services Industry Team

We assist financial services companies in identifying, measuring and managing the myriad risks they face. With our commitment to service, people, resources and values, we are the service provider of choice for financial institutions of all types and sizes.

Our consultants are experienced professionals. Many have decades of experience working in the financial services industry. Located in offices across the globe, they include former industry executives, former regulators and a broad range of subject-matter experts who have firsthand knowledge of the issues on which they provide advice. Our internal commitment to training ensures that our consultants remain current on important industry issues. Armed with tested tools and methodologies, our consultants provide pragmatic, cost-effective and value-added solutions to your company.

At Protiviti, we understand the challenges faced by financial services companies. Our solutions are de-signed to help your company turn these challenges into competitive advantages.

292014 Global State of Operational Risk Management Survey

Cory GundersonManaging Director – Global Leader, Financial Services Industry Practice+1.212.708.6313cory.gunderson@protiviti.com

Tim Long Managing Director – Global Leader, Risk & Compliance Solution+1.212.399.8637timothy.long@protiviti.com

Matthew MooreManaging Director+1.704.972.9615matthew.moore@protiviti.com

Jim RyanManaging Director+1.314.656.1745jim.ryan@protiviti.com

Andrew ClintonManaging Director+44 (0) 20.7930.8808andrew.clinton@protiviti.co.uk

Peter RichardsonManaging Director+44 (0) 20.7930.8808peter.richardson@protiviti.co.uk

Giacomo GalliManaging Director+39.02.6550.6303giacomo.galli@protiviti.it

Michael KlingerManaging Director+49.69.963.768.100michael.klinger@protiviti.de

George BrownManaging Director+852.2238.0486george.brown@protiviti.com

Mike PurvisManaging Director+61.2.8220.9500mike.purvis@protiviti.com.au

Protiviti Financial Services Industry/Risk & Compliance Practice – Contact Information

Acknowledgments

Thank you to the following Protiviti consulting professionals who contributed to this study and report:

• Danielle Coffin

• Karthikeyan Krishnan

• Denis Lippolt

• James McDonald

• Raj Parthasarathy

• Matthew Perconte

• Owen Strijland

• Natalie Tarabay

• Mark Taylor

• Matt Taylor

• Victoria Tozer-Pennington

• James Wirawan

© 2015 Protiviti Inc. An Equal Opportunity Employer. M/F/Disability/Vet. PRO-0915-101076Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

ASIA-PACIFIC

AUSTRALIA

BrisbaneCanberraMelbourneSydney

CHINA

BeijingHong KongShanghaiShenzhen

INDIA*

BangaloreHyderabadKolkataMumbaiNew Delhi

JAPAN

Osaka Tokyo

SINGAPORE

Singapore

* Protiviti Member Firm

THE AMERICAS

UNITED STATES

AlexandriaAtlantaBaltimoreBostonCharlotteChicagoCincinnatiClevelandDallasDenverFort LauderdaleHouston

Kansas City Los Angeles Milwaukee Minneapolis New York Orlando Philadelphia Phoenix Pittsburgh Portland Richmond Sacramento

Salt Lake City San Francisco San Jose Seattle Stamford St. Louis Tampa Washington, D.C. WinchesterWoodbridge

ARGENTINA*

Buenos Aires

BRAZIL*

Rio de Janeiro São Paulo

CANADA

Kitchener-WaterlooToronto

CHILE*

Santiago

MEXICO*

Mexico City

PERU*

Lima

VENEZUELA*

Caracas SOUTH AFRICA*

Johannesburg

EUROPE/MIDDLE EAST/AFRICA

FRANCE

Paris

GERMANY

Frankfurt Munich

ITALY

Milan Rome Turin

THE NETHERLANDS

Amsterdam

UNITED KINGDOM

London

BAHRAIN*

Manama

KUWAIT*

Kuwait City

OMAN*

Muscat

QATAR*

Doha

SAUDI ARABIA*

Riyadh

UNITED ARAB EMIRATES*

Abu Dhabi Dubai