Operational Risk Management Jaidev Iyer Managing Director Head

Operational Risk Management Jaidev Iyer, Managing Director Head of Operational Risk - Markets & Banking Istanbul March 6, 2007

Objective: Shed some light on ……… What is Operational Risk? How do we manage Operational Risk? Op. Risk Capital 2

What sank the Titanic? What made it a big tragedy? For over 5 decades, Operators had taken larger and larger risks to save money Greater attention to Amenities than to Safety. . engineers did not have last (any) word Lifeboats ate up deck space. . Board of Trade dominated by Shipbuilders Poor procedures: 2200 passengers, only 1200 could have been saved, only 700 were Safety drills (including at the lifeboats)…mere custom The good news: Disasters bring change…Change for the good, despite all the costs 3

Is there Operational Risk in these Headlines? Innovative Transaction in European Government Bond Markets Arg enti na SE Tra C In d e g e nsf ves l r Al ices tig er o f r on atio A i P t t c e g A k r e y a r n a t M n of lin on of M p i c s atte Di ipulati I P n O rs a Allocati M ons Volatility in Latin America nfl o C h arc om C d rl Wo nd u F d l tua pande u M Ex e b Pro Rese icts Integrity of Financial Reporting nce Enro n ina F d e r ctu Stru Predatory Los Dis ses R e Ac cover cogni yo tivi f T zed F ty o rad er’s llowi Un ng Lending aut hor ize d Corpor a Govern te ance Private Bank to discontinue Operations in Japan 4

……………. Or in these ? ! Losses in $Bns 0 Merrill Lynch & Co 0. 5 1. 0 1. 5 2. 0 1994 - Liquidity Mismanagement Mettallgesellschaft AG 1994 - Oil Futures 1994 - Joe Jett Phantom Trades Barings Plc 1995 - Nick Leeson Trading Losses Daiwa Bank Ltd 1995 - Treasury Bond Trading Sumitomo Corp Deutsche Bank AG Nat. West Markets UBS LTCM Allied Irish Banks National Australia Bank Citigroup 7. 5 1987 - Unauthorized Mortgage Trading Orange County Kidder, Peabody & Co 2. 5 1996 - Copper Trading 1996 - Unauthorized activity by fund managers 1997 - Mispriced Options 1997 - Mispriced options 1998 - Over leveraged convergence arbitrage ? ? 2002 – Fraudulent trades 2004 – Regulatory settlements and related litigation reserves 5

Operational Risk and Op. Risk Event Types § Operational Risk is the risk of loss resulting from inadequate or failed § Internal processes § People § Systems § External events § It specifically excludes market and credit risk judgments, except in Boundary conditions Fraud, Theft & Unauthorized Events Clients, Products & Business Practices Employment Practices and Workplace Environment Physical Asset & Infrastructure Events Execution, Delivery & Process Management 6

Key Operational Risks for the CIB 1. Business Practices: Inappropriate business practices or market conduct ………. . 2. Business Selection: Inappropriate business selection due to inadequate due diligence or non adherence to credit, market or operational risk policies and limits …………… 3. Infrastructure Adequacy/Capacity: Inability to support business growth due to weaknesses or deficiencies in the underlying infrastructure or applications …………… 4. 5. 6. Financial Integrity: Incorrect financial books and records and delayed or inaccurate reporting ……. Compliance with Laws and Regulations: Failure to comply with the spirit and letter of laws and regulations applicable to our products and services …………. . Information Security: Inappropriate safeguarding of customer or Citigroup information assets ……. . 7. Continuity of Business: Inability to continue business during a contingency event ………. . 8. Employment Practices: Inappropriate employment practices ……………. What is Operational Risk? …risk of loss …from inadequate or failed internal processes, people and systems or from external events. Process Risks Execution, Delivery, Processes. . Business Disruption, Systems … Conduct Risks Clients, Products, Business Practices Employment Practices Internal Theft, Fraud External Risks External Theft and Fraud Damage to Physical Assets 7

Op. Risk Event examples: Conflicts May 2004: Citigroup Inc. agrees to pay $2. 65 B to settle a lawsuit claiming the firm issued fraudulent, misleading, and otherwise flawed research reports on World. Com. Citigroup and Salomon also allegedly granted World. Com CEO Bernard Ebbers large loans and access to stock offerings in exchange for investments banking business. October 2004: Lehman Brothers agrees to pay $223 MM to settle a lawsuit claiming the firm created false investments and completed fake sales of nonexistent Enron assets to hide loans. Enron executives : reported revenue increases and removed billions of dollars of debt from its balance sheets, which falsely increased securities prices, and deceived investors. July 1992: First Reserve Corp, a US financial institution, agrees to pay $73 M in a lawsuit stemming from it's takeover of Mc. Murray Oil Tools. Houston Monarch, which sought financing from First Reserve to buy Mc. Murray Oil Tools, claimed that First Reserve dragged its heels on the financing and then bought Mc. Murray Oil Tools for itself. Operational Risk is not just about “operations” or the “back-office” 8

Op. Risk Event examples: Product Suitability July 2004: Banca Intesa Sp. A, an Italian financial institution, agrees to pay $223 MM to customers who lost money from the collapse of three Italian companies. Customers allege improper promotion and sale of investments. In some instances, investors switched their life savings from other Italian corporate bonds into one of the three companies. October 2004: Nextra, an Italian asset management company, agrees to pay $197 MM to settle allegations that the firm knew about Parmalat’s financial condition when it placed a 300 M EUR bond issue in June 2003. Nextra later resold the bond back to Parmalat and demanded repayment of the funds, indicating possible prior knowledge of financial mismanagement at Parmalat. As a result, Parmalat lost 37. 6 M EUR. June 2005: Morgan Stanley, agrees to pay $187 MM to settle litigation with Italian dairy, Parmalat Finanziaria Sp. A. In February 2005, Parmalat sued Morgan Stanley, alleging that it knew Parmalat was failing when it helped raise capital, including a $362 M bond issue in June 2003. The dairy went bankrupt in December 2003. 9

Op. Risk Event examples: Business Practices October 1993: Samuel Montagu, a UK investment advisory firm, agrees to pay $209 MM to settle a lawsuit alleging breach of contract. The lawsuit claims Samuel Montagu provided false assurances on behalf of its client, Quadrex Corp. , who breached a contract with British & Commonwealth. October 1993: Salomon Brothers agrees to pay $30 MM to settle a lawsuit claiming the firm inflated its fees for investment advice. The transaction related to the Los Angeles-based HF Ahmanson’s purchase of Bowery Savings Bank in 1987. February 1989: Drexel Burnham Lambert Inc. agrees to pay $650 MM to settle charges of securities fraud. An ex-Drexel managing director repaid $11. 6 MM in illegal gains from insider trading, the use of nonpublic information to profit in stock transactions obtained through misappropriation or in breach of a fiduciary duty owed to a client of Drexel. 10

Op. Risk Event examples: Fraud June 2005: Morgan Stanley appeals a $1. 6 B verdict in a lawsuit related to its role in the collapse of Sunbeam Corp. Ron Perelman claimed the firm knowingly allowed Sunbeam Corp to acquire Coleman Holdings using inflated Sunbeam stocks. MS acknowledged that it arranged for the deal but claimed that it did not know that Sunbeam had inflated the company’s sales and earnings from 1997 until 1998 to boost share price. January 1999: Barclays Bank agrees to pay $192 MM to settle claims alleging it advised the purchase of a company that turned out to be insolvent. British & Commonwealth bought Atlantic Computers following assurances that Atlantic was financially sound, but it turned out that Atlantic's books had been falsified. Its failure brought down British & Commonwealth. November 1992: Kidder Peabody & Co. agrees to pay $165 MM to settle charges of insider trading. Maxus Energy Corp. , a client, alleged that Ivan Boesky received information from a Kidder VP, and Boesky admitted paying the VP between $700 -$800 M for secret information about deals that Kidder was handling. Maxus claimed Boesky pocketed $7. 4 MM in illegal profits. 11

How do we manage Operational Risk ?

What can we learn from other risk disciplines? Risk Discipline Modern History Risk Measurement Risk Mitigation Tools Credit Risk Age > 40 years Value at Risk based on Target market/portfolio Portfolio view > 25 years • Probability of Default – ORR Risk-based capital Quantitative > 15 years • Loss Given Default – FRR Credit approval process Active mitigation > 10 years Assignments / participations Credit derivatives Market Risk Age > 25 years Value at Risk based on Risk-based capital Portfolio view > 15 years • Factor Sensitivity Boundaries Quantitative > 10 years • Potential Losses Diversification Active mitigation > 10 years Operational Risk Hedging / unwinding positions Age < 5 years Value at Risk based on Risk-based capital Portfolio view… still TBD • Loss frequency Pace of business growth Quantitative < 3 years • Loss severity Infrastructure investment, planning Active mitigation… culture++ Metrics / Key Risk Indicators People management, training 13

Op Risk Management Basics § Op Risk Management is the management of the frequency AND severity of operational losses § The goals of Op Risk Management are to: § Dimension operational risk exposure (quantitative, qualitative) to confirm an acceptable level of risk § By ensuring adequate controls, maintain exposure (financial/reputation risk) within acceptable levels § Determine the appropriate level of capital to absorb extreme losses associated with risks that do not lend themselves to control, and for control failures § The tools of Op Risk Management are: § Loss capture enables causal analysis (to determine preventive measures) and capital modelling § Assessments (Self, Audit, Regulator) provide a view on control effectiveness and residual risk § Metrics (KRIs) warn of risk/control imbalances & serve to attract appropriate management attention § Scenario analysis dimensions potential frequency and severity, especially for unexpected losses § Capital protects the firm’s solvency; capital allocation informs management decisions § Regulatory capital required under Basel II § Economic capital used for all management purposes 14

Building a New Risk Discipline PURPOSE & STRUCTURE • Data and analysis to support mgmt decisions – People and infrastructure investment – Business growth, acquisitions 2004 -2005 § Op. Risk Management structure & objectives § Education and awareness § Streamlined RCSA hierarchy § Loss data as foundation for Op. Risk Capital § Senior mgmt reports TOOLS & DATA • Build a portfolio view of operational risk – Directionally up or down – major drivers, their potential impact 2006 § Op. Risk integrated suite § Key Risk Indicators (KRIs) § Loss data content, integrity § Refined Policy, Procedures § Use of AMA for ERC ANALYSIS & MITIGATION 2007 -2008 § Streamline data capture § Integrated analysis • RCSA • Losses • KRIs • External Experience • Scenario Analysis § Payment Systems Risk § Proactive risk mitigation § Implement Basel II § Risk based Capital allocations 15

Op Risk Data & Analytics Foundation Internal Losses RCSA (EDCS) Capital (ORCA Catalyst) Shared Utilities Op. Risk Metrics Hierarchies Report Writer Entitlements, etc Scenario Analysis External Losses Scaling Data (SAS / First) (Finance) Audit Data TODAY • Five data elements are independently assessed – Internal & External loss data – Control assessment results – Op Risk metrics – Scenario analysis • An integrated view remains difficult – Data Structure, Characteristics, Completeness – Technology – Inadequate understanding of Op Risk drivers (Auto. Audit) 2007 - 2008 • Five data elements assessed in relation to each other – Incongruities identified, e. g. losses up, RCSA very clean – Individual data elements improved, e. g. oversight in RCSA process, revised metrics, loss data capture • Data comparisons made possible by – Uniform views through meta-data (“hooks”) • “Deep Dives”) identify and dimension Op. Risk drivers • Capital “reality check” using all the data elements 16

What is Integrated Op Risk Analysis “Deep Dive” Analysis of Losses to Connect Op. Risk DATA and FUNDAMENTALS 1 2 Identify Op Risk Drivers Assess RCSA Effectiveness Identify Existing and Needed 3 Metrics 4 Dimension Potential Size and Frequency 5 Understand Capital Implications • What could have prevented the loss? • What factors influenced the size of the loss? • What controls failed / didn’t exist? • Covered in the Assessment/s of the Entity that caused the loss? • Where else could such a control failure occur? • Could existing metrics have warned of trouble? • What metrics could track the risk drivers or warn of weakness? • What set of metrics could best capture the end-to-end risks? Thinking about the risk drivers… • Under what circumstances might the loss have been much larger? • Could such losses occur more frequently? How? Where? • What do external events tell us? • Does capital adequately cover stresses? • What about the “perfect storm”? 17

Markets & Banking Op. Risk Organization Jaidev Iyer Head of Operational Risk Paula Arguera Admin. Jaidev Iyer Capital Markets & Banking Husam Arabiat Lynley Ashby Eva Leighton GTS & Infrastructure Joe Perrotta Betty Sandhop John Wertheim EMEA Richard Bilby Chris Bechtle Greg Fell (PSR) Teresa Yiu Asia Ahmed Rahim M. Makiguchi (NCL Japan) S. Abe Anna Stephenson Japan Bank Raj Mittal Op. Risk Assessment Hal Gross (Data Management) Asha Subramanian Fred Yu Milica Stojnic David Mazza (PSR Analysis) Artemis Yu Rob Carey Ryan Butkus (Capital) PSR = Payment Systems Risk 18

Operational Risk Capital

CIB Operational Risk Losses and Economic Capital Op Risk Losses($MM) Risk Capital ($Bn) $16. 9 $20. 7 $20. 4 $21. 0 $20. 7 $21. 9 $21. 7 $21. 3 $22. 2 $21. 6 $22. 9 *2005 does not include $600 MM adjustment to Worldcom/Research reserve; an Op. Risk “gain” 20

Q 4’ 06 Economic Capital Standalone Intra-Risk Capital Variance Analysis Frequency Allocation Qualitative Adjustment Net Variance Inter-Risk Diversified Capital * 21

Q 4’ 06 Economic Capital Risk Capital in Asia 22

Q 4’ 06 Op Risk Parameter Choices and Capital RLOB Tail Parameter Ann. Freq $ 1 MM Capital at 99. 97% ($MM) Stand-alone Intra-Risk Diversified Agency Services 0. 55 1. 94 125 101 Commercial Banking 0. 65 0. 83 173 141 Corporate Finance 0. 90 2. 90 3, 865 3, 145 Payment and Settlement 0. 55 1. 17 94 77 Trading and Sales 0. 75 15. 90 3, 493 2, 842 Unclassified 0. 75 1. 00 439 357 NA 23. 74 8, 184 6, 664 Total (Diversified) Input to CIB allocation model • CIB Op. Risk capital is concentrated in Corporate Finance and Trading & Sales. The lower event frequency in Corporate Finance is compensated by higher severity. • Processing businesses in GTS have low severity and contribute little capital. 23

Qualitative Adjustment Factor in Op. Risk Capital ARR Risk Level Weights Issue Severity Weight Issue Aging Wt. Low BI =1 0 -29 days = 1. 00 MBI = 3 30 -59 days = 1. 25 = 1. 00 Medium = 1. 10 High 60 -89 days = 1. 50 = 1. 25 90+ RCSA days = 2. 00 Residual Risk Weights Control Rating Weights Low = 1. 00 Unsatisfactory Medium = 1. 10 Needs Improvement = 1. 25 High = 1. 25 Satisfactory = 1. 50 = 1. 00 Post QAF Capital = QAF Application Intra Risk Diversified Capital * QAF (n) / QAF (n-1) @ Note: Support group QAF allocations follow budget lines 24

Summary § Operational Risk Management is the management of the Frequency and Severity of Operational Losses § Operational Risk – established as a formal risk discipline § Basel II, SOx and FDICIA are key drivers, but much more so is “better business management” § Operational Risk is incorporated in economic and regulatory capital calculations § Event data is captured for capital modelling, and causal analysis to manage risks and controls § Loss Analysis, RCSAs, Capital, Stress and Key Risk Indicators form the current basic framework for identifying and managing Operational Risk at the business level § The goal is to determine the operational risk profile that is acceptable to the business and support it with the appropriate level of controls and capital. 25