Operational Risk function in 1st line

10th September 2015

Sune Warberg Clausen, Head of Risk in Personal Banking

Operational Risk function in 1st line

2

Agenda

Danske Bank — Version and strategy

The Risk function in Personal Banking

Building an Oprisk framework

How do you influence the risk culture

Improving risk culture through 1:1 risk attention

Improving risk culture through measurement

Improving risk culture — Empowerment & consequences

3

Overview: Danske Bank has a strong Nordic franchise

Northern

Ireland Denmark

Norway

Sweden

Finland

Estonia

Latvia

Lithuania 20% 26%

5%

5%

10%

8%

3%

6%

Danske Bank market share**

1. Excluding agricultural centres in Denmark. 2. Market share by lending

Business units

Personal Banking

Business Banking

Corporates & Institutions

Danica Pension

Danske Capital

For divestment

Non–core (Ireland & Conduits)

Personal banking activities in the

Baltics

Facts

3.6 million customers

313 branches1

15 countries

18,874 full–time employees

4

Personal Banking

[Finland]

[Norway]

[Sweden]

[Denmark]

[Luxembourg]

[UK)

[Northern Ireland]

Key facts

3,256 (millions) customers

1,886 (millions) active

e-banking customers

6,796 employees

5

Agenda








6

The mandate of Risk in PB is to define and execute

on the described risk framework and bring issues

to PB Risk Committee

The mandate for Risk is to define the risk framework for the management of non-

financial risks in all market areas and have it approved in Personal Banking’s Risk

Committee. The risk framework in this context includes risk policies, governance,

identification, monitoring, controlling, reporting and event handling. Each market area

can to the extent necessary add on additional risk management activities where they

see fit.

PB Risk Committee

Risk Function

BD Denmark BD Sweden BD Norway BD Finland Risk function in Luxembourg

Risk function in UK

7

Governance in a Group perspective – Risk follows the

guidelines defined by Group Operational Risk and ORCO

ORCO

PB Risk Committee

31AW Risk Group Compliance

Group Operational Risk

Group Security PB Denmark

PB Sweden

PB Norway

PB Finland

PB UK

Private Banking DK

Private Banking Int.

2nd line risk function





8

Our Foundation: Three lines of defence

As a business unit risk function we are somewhere between 1. and 2. line. We report to

business unit management but maintain a dotted line to the Group Risk Management

function

First line: Business

units dealing with

customers

Second line: Control

units

Third line: Internal audit

9

The role of the risk function

“We identify the weaknesses in the operation, streamline our control environment and

follow up on key areas”

Be part of projects

with risk content

Be part of product

and process

design

Influence the

culture through

reporting and

communication

Build and drive risk management

framework for PB in all countries

Look across all non–financial risks

Report to management and ensure

informed decisions on risk areas

10

Agenda








11

We want to put numbers on the risk — AWACS–principle

12

It’s not easy to put numbers on risk

Starting point

Data on

losses

Today

Data on losses

Management

controls

Verification

AML Monitoring

Quality OpRisk

controlling

CDD errors on new

customers

Errors in handovers

to back office

Open audit

recommendation

How did we get to the point, where we could get

the “AWAC to take off”

13

We chose the bottom up approach

Example

Management

controls

“AWAC”

Risk Dashboard and reporting

Risk Controlling set–up

Risk officer set–up

Management control set–up

We can now say that we have a “AWAC” on

management controls

Creating an automatic risk dashboard

Measuring on all levels (bottom to top)

Monthly reporting on all levels

Set–up for controlling of the quality of the risk work in

the branches

Measurable — correctness percent

Risk officers who are working with the branches

Training and best practice

Full overview and transparency

Measurable

14

What was the value of the work

Strong control set-up Good overview

Only relevant controls Saved time

Measurable

Easy to know when you

have done what there

is expected

Better risk culture Fewer errors

(lower costs)

Risk Business

15

Agenda








16

“The ability of the organisation to integrate risk considerations in the

decision making and daily business operation”

Definition of Risk Culture

17

Driving the Risk Culture — Input factors

Risk culture

Risk framework

Control infrastructure

Risk infrastructure

Integration of risk

metrics

Tone at the top Number

of FTE

Competencies in Risk

Number of distortions

Core values

18

Agenda








19


Branch visit

Training

Give best practice

OpRisk Controlling

Get feed back

Focus on solutions

Visit by a local risk officer • Visit every branch 1 or 2 times

every year Branch visit

• Important topics

• Specific training after the branches needs

Training

• Take best practice from the best branches to the branches with needs

Give best practice

• Testing of quality of the risk work

• Objective score (correctness percent)

OpRisk Controlling

• Feed back from the branches

• Ensure better processes Get feed back

• Looking forward — how can we ensure a better risk picture in the future

Focus on solutions

20

Branch meetings

Change Controlling process

Recommend

changed controls

& processes

Risk control

Local

presence

Business

support

Business

knowledge

Simple tools

and methods

Testing the

operational quality &

process adherence

Giving feedback on

suitability of processes

and controls

Branches

Most

important

bearers of the

risk culture

Users of the

customer

facing

processes

Executes key

controls

21

Has it worked? — Quality

in our testing/controlling

Each line is a region in Denmark — The graph shows the development in correctness score in our OpRisk Controlling

60

65

70

75

80

85

90

95

100

Nov Oct Sep Aug Jul Jun May Apr Mar Fe

b

Jan Dec Nov Oct Sep Aug Jul Jun May Apr Mar Fe

b

Jan Dec

Total Target

Red Area 6

Area 5

Area 4

Area 3

Area 2

Area 1

22

Agenda








23

Risk reporting universe in Personal Banking

Risk tolerance

Management board level

(market areas)

Measurement of not accepted

deviations

E.g. OpRisk losses or

Customer complaints

Market Area performance

Branch Manager level (each

branch)

Measurement of correctness

percent

E.g. Management controls or

Controlling

Staff performance

Local risk owner level

(managers in staff functions)

Measurement of better

processor or risk acceptance

E.g. RIA issues or Audit

recommendations

License to operate

Employee and manager level

Measurement of areas that

require that all employees

have completed all relevant

targets

E.g. AML education or

identification of customers

Early warning

indicators

24

Has it worked? — Quality

in our testing/controlling

Each line is a region in Denmark — The graph shows the development in correctness score in our OpRisk Controlling

35

40

45

50

55

60

65

70

75

80

85

90

95

100

Nov Oct Sep Aug Jul Jun May Apr Mar Fe

b

Jan Dec

Target

Red

Total

Area 5

Area 4

Area 3

Area 2

Area 1

25

Agenda








26

Empowerment vs. consequences — A natural link

Empowerment requires a strong risk culture throughout the organisation AND clear

consequences if basic rules are broken

Simplification Empowerment Consequences

27

Licence to Operate — An example of working with culture

To ensure that we all know the basics of banking so we can

Meet external legal and regulatory requirements

Build financial confidence and earn trust

Meet our customers’ expectations

Ensure strong fundamental skills

WHY do we need License to Operate?

28

Has it worked? — License to Operate

Data from the LTO tool — 2. January 2015

Green Amber Red

% there is

done

Not done

courses

Not corrected

CDD errors

Personal Banking 6.307 5 0 99,92 0 0

Personal Banking Staff 1 188 0 0 100,00 0 0


Personal Banking Marked area 1 2.962 0 0 100,00 0 0


Personal Banking Marked area 2 934 0 0 100,00 0 0






Private Banking Marked area 6 332 0 0 100,00 0 0

Private Banking Marked area 7 255 0 0 100,00 0 0

29

Economy & Finance

Operational Risk function in 1st line