incident management procedures & guidance
Post on 16-Oct-2021
7 Views
Preview:
TRANSCRIPT
Incident Management Procedures & Guidance Page 1 of 62
FOR INTERNAL USE ONLY
Document Owner: Group Head of Operational Risk & Insurance
Date updated:Version:Location:
December 20152.9Risk Document Library
Incident Management Procedures & Guidance
WBC.100.118.8029CONFIDENTIAL
Incident Management Procedures & Guidance Page 2 of 62
Document version control
No. Date Version Author Description
1 - 5 11/06 V0.1 Mike Purvis Drafting to support introduction of new process at 1 Dec 06.
6 8/1/07 V0.2 Mike Purvis Drafting to reflect introduction of new processes at 31 Dec 06
7 22/1/07 V0.3 Mike Purvis Drafting to reflect new systems in February 07
8 06/02/07 V1.0 Steven Bardy Drafting to reflect Business Unit input and changes to reflect migration to new Policy Framework
9 15/02/07 V1.1 Aislinn Strang ORMF review amendments
10 07/08/07 V1.2 Maebehe Garcia Drafting to clarify issues related to credit and market risks and other amendments
11 24/04/08 V1.5 Andrew Leslie Annual Review
Update for Rapid Recovery, Insurance Threshold and APS115
12 23/12/08 V1.6 Dung Thien Tran Update for the implementation of ACCORD
13 22/04/09 V1.7 Andrew Leslie Add hand written marked up edits to electronic version
14 15/05/09 V1.8 Andrew Leslie Simplified content. Integrated version to include SGB.
15 27/07/09 V2.0 Luke Tazelaar Updated from BU feedback
16 01/03/12 V2.1 Nadine Schaefer-Medappa
Updated to reflect Policy updates and add additional guidance
17 02/04/12 V2.2 David Tan Updated to include operational risk related to project costs
18 24/04/12 V2.3 David Tan Updated to clarify about the treatment of near misses
19 05/06/12 V2.4 David Tan Greater clarification to the Basel Business Lines section of the appendix for Retail and Commercial Banking having regard to Divisional input.
Minor modifications to the Corporate Items Basel Business Line title to reflect the *Not otherwise allocated* categorisation in ACCORD.
20 20/08/12 V2.5 Juliette Lemaire Include Lean incident Management Workshop Quick Wins :
o Incident Ownership *Circuit breaker*o *Lite* treatment for incidents with potential or
actual financial impact under $50,000 and $1,000 tolerance for GL/ACCORD reconciliation differences
21 07/03/13 V2.6 Juliette Lemaire/ David Tan
Updated to include AML / CTF management of incidents
22 03/06/13 v.2.7 Juliette Lemaire Updated to include Industry standards agreed at the Interbank forum with regards to the treatment of boundary losses
WBC.100.118.8030CONFIDENTIAL
Incident Management Procedures & Guidance Page 3 of 62
Document version control
No. Date Version Author Description
23 30/05/14 v.2.8 Juliette Lemaire/
Derek Byrne
Annual Review
Updated to include Legal Risk related Operational Risk incidents (LOPs) and Outsourced Service Provider related Operational Risk incidents
Add a reference to the role of ACCORD support team Updated to include a new section on Internal Escalation
reporting Updated to rationalise the list of Mandatory
stakeholders Updated to simplify appendices with regards to
Reconciliation processes Removal of appendix relating to ACCORD process on
relocating incidents to support business restructure
24 11/12/15 v.2.9 Derek Byrne Inclusion of a roles and responsibilities section and process flow
Reference to the new escalation process for incidents not owned within 5 days of identification.
The inclusion of an exception for Technology, HS&W and Fraud incidents, which will now require ownership within 5 days of reporting in ACCORD, given that there are subsystems in place to manage the ownership of these incidents
Additional examples of Credit related Operational Risk incidents (CROPs) provided
Inclusion of additional industry guidance on the treatment of Legal Risk related Operational Risk incidents (LOPs) prior to capture in ACCORD
Distribution
Title/Function Sign-off/review
Group Head of Operational Risk & Insurance Sign-off
Head of Regulatory Affairs Review
Enterprise Compliance Review
Business Unit Heads of Operational Risk Review
Head of Systems & Data Review
Financial Crime and Fraud Review
Group Health, Safety and Wellbeing Review
WBC.100.118.8031CONFIDENTIAL
Incident Management Procedures & Guidance Page 4 of 62
Table of Contents1 Purpose .....................................................................................................................6
2 Operational Risk Incidents .........................................................................................72.1 What is Operational Risk? .....................................................................................................7
2.2 What is an Operational Risk Incident?.....................................................................................7
2.3 Incident Reporting Thresholds ...............................................................................................82.3.1 Financial threshold...........................................................................................................82.3.2 Non-compliance threshold.................................................................................................9
2.4 Related Incidents ...............................................................................................................10
2.5 Money Laundering (ML) / Terrorism Financing (TF) incidents ....................................................10
2.6 Boundary Losses ................................................................................................................122.6.1 Credit Risk-related incidents caused by Operational Risk (CROPs).........................................122.6.2 Market Risk-related incidents caused by Operational Risk (MOPs) .........................................15
2.7 Legal Risk related Operational Risk incidents (LOPs) ...............................................................16
2.8 Outsourced Service Provider related Operational Risk incidents ................................................17
2.9 Operational Risk incidents related to projects .........................................................................18
3 Incident Management Process..................................................................................193.1 Incident Management Metric................................................................................................19
3.2 Incident Management * key roles & responsibilities.................................................................20
4 Incident Identification and Recording.......................................................................234.1 Incident Identification and Recording * Example.....................................................................24
5 Incident Verification.................................................................................................265.1 Incident Verification * Example ............................................................................................29
5.2 Rejecting an incident ..........................................................................................................30
6 Incident Ownership..................................................................................................31
7 Assessments............................................................................................................32
8 Incident Rectification ...............................................................................................328.1 Incident rectification * Example ...........................................................................................34
9 Incident Closure ......................................................................................................36
10 Re-Opening of Incidents..........................................................................................36
11 Data Quality.............................................................................................................37
12 External Reporting...................................................................................................38
13 Internal Escalation Reporting ...................................................................................38
Appendix 1 Direct vs. Indirect Financial Impact...............................................................39
Appendix 2 Basel Business Lines ....................................................................................40
Appendix 3 Basel Event Types ........................................................................................45
Appendix 4 Product........................................................................................................47
Appendix 5 Process........................................................................................................49
Appendix 6 Mandatory Stakeholders ..............................................................................51
Appendix 7 Rectification Procedures on Financial Impact................................................52
Appendix 8 ACCORD financial reconciliation performed by Risk Systems & Data.............57
Appendix 9 ML/TF incident significant /systemic criteria................................................58
Appendix 10 Glossary of terms ......................................................................................59
WBC.100.118.8032CONFIDENTIAL
Incident Management Procedures & Guidance Page 5 of 62
WBC.100.118.8033CONFIDENTIAL
Incident Management Procedures & Guidance Page 6 of 62
1 PurposeThe Operational Risk Incident Management (IM) Policy outlines the minimum requirements for managing incidents across the Westpac Group. This Procedure document complements the IM Policy by providing guidance and examples. It should be read in conjunction with the IM Policy.
Divisions may document additional guidelines specific to their business activities as long as these do not contradict the intentions of the Group IM Policy or this Procedure.
The objectives of the IM process are to:
Facilitate the timely identification, reporting, rectification and management of incidents Minimise the financial, reputation, customer and regulatory impacts of incidents Minimise the reoccurrence of incidents by addressing their root cause in a timely manner Ensure the quality of incident data to promote the integrity of the capital model and its outputs Assist Westpac in meeting regulatory and compliance obligations Promote and enable a risk-aware culture
The system supporting this process is ACCORD. All Incidents must be captured in ACCORD. Should the business mandate that incidents be captured in other systems, this will be in addition to ACCORD, as ACCORD is the designated IM system.
Everyone involved in the IM process must ensure that the data collected meets the principles set out in the Data Policy and is complete, accurate, valid, timely and sufficiently detailed in order to:
Support the efficient management of incidents Reduce unnecessary errors and re-work of incident data Ensure the integrity of incident data as input into the capital model i.e. internal loss data Meet regulatory data requirements
If further clarification regarding the IM Process, Policy or Procedure is needed, please contact your Manager, Operational Risk Advisor or Group Operational Risk & Insurance (GORI) for further guidance.
WBC.100.118.8034CONFIDENTIAL
Incident Management Procedures & Guidance Page 7 of 62
2 Operational Risk Incidents
2.1 What is Operational Risk?
Operational Risk is defined as *the risk of loss from inadequate or failed internal processes, people and systems, or from external events. It includes legal and regulatory risk but excludes strategic and reputation risk*.
The definition is a Basel II definition and is also used by the Prudential Regulator (APRA) in APRA Prudential Standard (APS) 115 * Capital Adequacy: Advanced Measurement Approaches to Operational Risk and the industry. Westpac has aligned its definition with this standard.
2.2 What is an Operational Risk Incident?
Operational Risk covers a broad spectrum and can occur virtually anywhere e.g. data entry or accounting errors, product defects, fraud, employee health and safety incidents, technology failures, natural disasters or failed mandatory reporting.
An Operational Risk incident is an incident that is caused by an Operational Risk event i.e. by inadequate or failed internal processes, people, systems, or from external events. As an example, where there is a breakdown in the control environment which results in, or has the potential to result in, an adverse impact to Westpac, an incident must be recorded in ACCORD. The adverse impact can be financial (e.g. loss) or non-financial (e.g. non-compliance with legal or regulatory requirements, financial misstatements). Please note that there may be certain circumstances where the occurrence of an incident is not as the result of a control breakdown, e.g. severe weather conditions.
Operational Risk incidents that do not result in an actual financial loss (i.e. near miss incident) are treated in the same manner as all other Operational Risk incidents. They are recorded when they meet the minimum reporting threshold as they:
Provide a valuable learning experience - they demonstrate where controls have failed and where Westpac could have lost money and/or it has not discharged its obligations correctly. Once recorded, they will follow the IM process. This means that management is aware of the issue and its cause and can rectify it before it leads to an actual financial loss
Help to identify systemic issues (i.e. where the same or similar issues occur multiple times indicating an underlying problem) that would otherwise have gone undetected. These often seemingly small issues can indicate significant control failures with potentially serious implications for Westpac
Operational Risk incidents may also feature one or more of the following characteristics:
Credit Risk-related incidents caused by Operational risk (CROPs) * where an operational risk event resulted in a lending loss that otherwise would not have occurred.
Market Risk-related incidents caused by Operational risk (MOPs) * where an operational risk event leads to a difference between initial value and mark-to-market value.
Related incidents - are made up of a group of related operational risk events (that often occur over a period of time) but that are all a direct result of one initial operational risk event.
Money Laundering (ML) * where it is suspected that activity relating to the placement, layering and/or integration of illegally obtained funds is occurring whether or not as a result of an operational risk event
WBC.100.118.8035CONFIDENTIAL
Incident Management Procedures & Guidance Page 8 of 62
Terrorism Financing (TF) ¬ where it is suspected that activity relating to the funding of terrorism is occurring, whether or not as a result of an operational risk event.
Incident data is obtained from different key sources/Source Systems1 and provides input into ACCORD:
Operational Risk incidents: Incident Identifiers must log incidents immediately in ACCORD via the *record an incident form* on the intranet.
Fraud incidents: All fraud incidents must be immediately reported via the *report a fraud* link on the intranet (via Fraud Detection Toolkit). Group Investigations will advise Financial Crime Management (FCM) of any incidents that require entry into ACCORD, and captured within pre-defined SLAs.
Work Health & Safety (WH&S) incidents: All WH&S incidents must be logged immediately via the *safe and sound* link on the intranet homepage. The Risk Systems & Data team receives incidents monthly from STARS (the WH&S system) and enters them in ACCORD.
Legal Risk related Operational Risk incidents (LOPs): The business is expected to maintain incident-related litigation data in ACCORD, including provisions.
Technology incidents are initially recorded in Remedy (Technology*s IM system). On a monthly basis, Remedy incident records and National Operations Centre (NOC) reports are reviewed by Technology. Technology-related incidents meeting minimum reporting thresholds are then recorded in ACCORD by Group Technology.
ML/TF Incidents: ML/TF suspected activities must be reported to the Division Compliance team for assessment2. The Division Compliance team must report significant ML/TF suspected activities to the Enterprise Financial Crime AML/CTF team via the team email box within five business days3.
Outsourced Service Provider related Operational Risk incidents: All Outsourced Service Provider incidents are required to be captured in ACCORD.
2.3 Incident Reporting Thresholds
To determine whether an incident must be recorded in ACCORD, minimum thresholds have been established. All incidents that meet one of these thresholds must be recorded:
Potential and / or actual gross financial impact4 of AUD20k or more; or A compliance incident is an actual, likely or imminent contravention or breach of:
o a compliance obligation of any applicable law or regulation;o an industry standard or code, such as the ASX Market Rules;o a material contravention of an internal policy or procedure.
Non-compliance (or likely non-compliance) with any legal or regulatory requirements (regardless of financial impact).
Incidents which do not result in an actual gross or net financial impact (referred to as a *near miss*) are still required to be recorded in ACCORD where the potential financial impact is AUD20k or more.
2.3.1 Financial threshold
At a Group level, Westpac has established a minimum financial threshold (AUD20k) at which incidents must be reported. However, Divisions may set a lower threshold if they wish (e.g. Technology currently record all Severity 1 incidents).
1 Refer to Appendix 82 NB The escalation of suspected ML/TF activity to the relevant divisional compliance team does not replace or remove an employee*s suspicious matter reporting (SMR) obligations under the AML/CTF legislation.3 groupamlctf@westpac.com.au4 Gross Financial Impact means the impact before an allowance is made for a recovery and can be positive or negative
WBC.100.118.8036CONFIDENTIAL
Incident Management Procedures & Guidance Page 9 of 62
Financial threshold - example
Fee miscalculation * A Westpac staff member miscalculates fees and underquotes fees payable by the customer by AUD7k. As the AUD20k threshold is not triggered, an incident does not have to be recorded in ACCORD unless the Division has set a lower threshold e.g. AUD5k
The threshold refers to gross amounts. This means that all incidents that have the potential for a financial impact of AUD20k or more must be recorded. The requirement for recording an incident stands even if Westpac recovers the money partly or in full. This is due to the fact that when the incident is recorded, there is no guarantee that money will be recovered in the future.
Operational Risk incidents that result in a positive financial impact (i.e. gain) must be recorded in ACCORD as well (if they meet the threshold).
The trigger points are the occurrence of an Operational Risk event and meeting the threshold, not whether the financial impact results in a loss or gain.
Financial threshold (resulting in gain) - examples
*Fat finger* error - A trader makes a *fat finger* error, buying 5000 derivative contracts instead of 500. By the time this is detected and the trades reversed, the market moved in Westpac*s favour, generating a profit on the trade. This incident must be recorded in ACCORD indicating that the potential financial impact is positive.
Payroll tax rebate error - Due to the wrong data communicated to the tax team, the payroll tax traineeship rebate was understated for two consecutive years. This lead to a positive tax impact of AUD1.6m. This category of payroll tax rebate was not previously disclosed in the prior years due to the lack of proper system to track the trainees. This incident must be recorded in ACCORD indicating that the potential financial impact is positive.
2.3.2 Non-compliance threshold
An incident must be recorded in ACCORD for all instances of non-compliance (or likely non-compliance) with legal or regulatory requirements. This includes Licence Conditions, Contracts, Standards, Rules, Regulations, Acts and external Codes that Westpac agreed to adhere to e.g. the Code of Banking Practice.
Non-compliance incidents- examples
Failure to provide amended AFSL * The Operating Rules stipulate that a copy of an amended AFSL for a registrable Superannuation Entity (RSE) has to be lodged with the ASX within a stipulated timeframe. However, for one particular RSE this was not provided to the ASX until some months later, resulting in a breach under Operating Rules and the need to record an incident in ACCORD.
Commingling of funds - The mingling of proprietary and client funds held in the operating account of the bank*s Margin Lending must be reported to the regulator, as it constitutes a breach of ASIC*s requirements and it needs to be recorded as an incident in ACCORD.
Breach of notification requirements * APS520 stipulates timeframes within which an APRA-regulated institution must lodge its *Fit & Proper* notifications to the regulator. If the notification timeframe for APS520 is missed, a breach occurs and an incident must be recorded in ACCORD.
If there is any doubt as to whether an incidence of non-compliance (or likely non-compliance) has occurred, the matter should be escalated to the relevant Compliance Advisor immediately, who will advise if the matter needs to be recorded in ACCORDthe relevant system.
Westpac Group has the regulatory obligation to notify its regulators of certain compliance matters, in particular, notification to ASIC of significant breaches of the AFSL obligations (refer to the AFSL Breach Policy). Failure to
WBC.100.118.8037CONFIDENTIAL
Incident Management Procedures & Guidance Page 10 of 62
report matters or undue delays in investigating and reporting matters could result in legal or regulatory action being brought against staff or Westpac. Any matter thought to be significant and/or reportable to a regulator must be escalated immediately to the relevant Compliance Advisor in addition to being promptly recorded in ACCORD.
Please note that all notifications to regulators continue to be made centrally and exclusively via Group Regulatory Affairs and not by Divisions (refer to section 12. External Reporting and also to the *Managing our Regulatory Relationship* Policy). All regulator notifications are subject to the AFSL Breach Policy, Voluntary Disclosure and Legal Professional Privilege Policy and Managing our Regulatory Relationships Policy.
Accounting errors
These incidents are due to an operational risk event and result in a temporary misstatement in financial accounts that require subsequent correction e.g. revenue overstatement, accounting errors and mark-to-market errors.
Accounting errors - example
Valuation errors * A portfolio of derivatives has an incorrect mark-to-market valuation applied resulting in incorrect P&L gains over a number of years. The P&L gains are written-back in the current year giving rise to a large P&L expense.
Often, when accounting errors are corrected no direct financial impact arises. However, these incidents can stretch over multiple financial periods and therefore could lead to significant misstatements as well as non-compliance with regulatory requirements.
While these events may not represent a true financial impact on the bank (because the net impact over time is zero), if the error continues across two or more accounting periods, it may represent a material misrepresentation of the bank*s financial statements. Material *timing losses* due to operational risk events that span two or more accounting periods should be included as operational risk incidents when they give rise to legal or compliance events (e.g. Sarbanes-Oxley deficiencies and statutory/regulatory reporting errors).
2.4 Related Incidents
Related incidents are incidents that consist of a group of connected operational risk events. The incidents are connected because they are a direct result of the same underlying operational risk cause event * even if the events occur over a period of time. The original incident must be recorded in ACCORD and all further occurrences (e.g. related incidents) must be updated within the initial incident.
These related incidents, due to the same underlying event, should be reported in ACCORD under the initial original incident irrespective of their dollar value. This would allow the full financial impact of related incidents to be identified even if the individual related incidents are below the relevant financial threshold.
Related incidents - example
Mainframe storage outage * An approved technology change in Sydney leads to a mainframe storage outage that suspends all processing but is recovered during the day. However, the next day payment systems in NZ are unable to send/receive transactions as a result of the original outage - leaving settlement transaction flows and customers waiting.
2.5 Money Laundering (ML) / Terrorism Financing (TF) incidents
WBC.100.118.8038CONFIDENTIAL
Incident Management Procedures & Guidance Page 11 of 62
ML is the name given to the process by which illegally obtained funds are given the appearance of having been legitimately obtained to avoid prosecution, conviction and the confiscation of those funds. Anti-Money Laundering (AML) is concerned with mitigating the risk that Westpac products or services may be used in the course of ML.
TF is the name given to the funding of terrorism. In comparison to ML, which aims to hide the origin of illegally obtained funds, TF seeks to hide the destination of funds (which may be derived from legitimate or illegitimate sources). Counter-Terrorism Financing (CTF) is concerned with mitigating the risk that Westpac products or services may be used in the course of TF.
AML / CTF Incidents
AML / CTF breaches differ from ML/TF incidents and are cases where there has been either: Non-compliance with AML/CTF requirements and/or obligations resulting in a breach A break-down or misapplication of processes and procedures resulting in a breach of AML/CTF
requirements and/or obligations
AML / CTF incidents - examples
Failure to meet regulatory reporting timeframes * due to an IT or manual processing issue Westpac fails to report Suspicious Matter Reports (SMRs), Threshold Transaction Reports (TTRs) and/or International Funds Transfer Instructions (IFTIs) within the required legislative timeframes.
Complete Payer Information * IFTIs processed by branch staff as over the counter customer transactions but fail to capture the *complete payer information* as required by the AML/CTF Act and Rules in the transaction details
Breaches of AML/CTF legislation should be reported to the Group Money Laundering Reporting Officer (MLRO) as the primary contact and the Head of Group Regulatory Affairs. The Group MLRO (or approved delegate) is responsible for ensuring breaches are reported to AUSTRAC in accordance with the AML/CTF Breach Reporting Procedure.
AML/CTF compliance breaches, regardless of financial impact, are recorded as an incident in ACCORD.
ML / TF incidents
ML / TF incidents are cases where:1. It is known or suspected that Westpac products or services have been used in the course of ML and/or TF;
and2. there has been either:
Identified weaknesses in any risk controls, processes or procedures Identified gaps in the AML/CTF control infrastructure, for example, in employee training and
awareness; and/or A change in the inherent and/or residual risk represented by a Division*s customers,
products/services, jurisdictional impact and/or channels caused by the suspected ML/TF activity.
ML / TF incidents * example
Identification & Verification (ID&V) * due to a breakdown in processes and procedures a large number of a particular customer type are onboarded without the relevant Customer Identification Program (CIP) requirements being met.
All ML/TF incidents should be submitted to the relevant Division AML/CTF Risk and Compliance team to undertake an assessment of whether:
a regulatory or compliance breach has occurred In this case, an incident should be recorded in ACCORD.
WBC.100.118.8039CONFIDENTIAL
Incident Management Procedures & Guidance Page 12 of 62
the ML/TF risk presented by the linked customer(s) needs to be managed and mitigated under the appropriate High Risk Customer processes and procedures.
the ML/TF suspected activities meet or exceed the significant/systemic case criteria. In this case, they will be reviewed and assessed on a case by case basis by Enterprise Financial Crime AML/CTF and may result in a detailed findings memo to enable the divisional stakeholders impacted by the customer(s) involved to be able to make risk appetite, management and mitigation decisions. Cases meeting the significant/systemic criteria (see appendix 9) should be raised and managed in ACCORD as an issue and linked to the impacted risks and/or controls.
ML/TF incidents may not be, in themselves, direct breaches of AML/CTF legislation, however Westpac is required to comply with the relevant reporting obligations under the AML/CTF legislation including any suspicious matter reporting in relation to the incident.
2.6 Boundary Losses
Losses that were caused by an Operational Risk incident but manifest themselves in other risk types such as Credit or Market Risk can sometimes be hard to distinguish and classify correctly. It is important to establish the underlying cause for incidents to correctly capture boundary losses caused by Operational Risk, as this will determine whether the incident is included in the calculation of Operational Risk regulatory capital.
Incidents that are Operational Risk-related credit losses must be treated as Credit Risk for the purpose of calculating regulatory capital with the exception of fraud (perpetrated by parties other than the borrower), which is treated as operational risk for the purpose of calculating regulatory capital. These are communicated to the Enterprise Risk Analytics (ERA) team and are excluded from the Operational Risk capital model where appropriate.
2.6.1 Credit Risk-related incidents caused by Operational Risk (CROPs)
Credit risk is the risk of loss due to counterparty default. Credit Risk-related incidents caused by Operational Risk (CROPs) arise when the credit loss is due to an Operational Risk incident (such as process failure or fraud).
Where Westpac experiences losses that appear to be pure credit losses (e.g. mortgage default), it needs to be established if this is indeed the case or whether the credit loss was due to an Operational Risk incident. A staff member could have made an error during the mortgage assessment process, for example, and approved an application incorrectly whereas, if procedures had been followed correctly, the mortgage would not have been approved. In this case, the cause for the credit loss is due to an Operational Risk incident.
Categorisation /Treatment of CROPs
CROPs can be categorised by applying the decision tree outlined below to confirm whether or not it is a pure Credit Risk, an Operational Risk or a CROP event. CROPs are treated as Credit Risk for the purpose of calculating regulatory capital. The exception is fraud5 (perpetrated by a member of staff or a third party, with or without the borrower*s involvement) which is treated as Operational Risk for the purpose of calculating Operational Risk regulatory capital.
5 Internal Fraud losses relate to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity/discrimination events, which involves at least one internal party. APRA, Prudential Standard APS 115, Jan 2013. Note: Internal Fraud* includes both Theft & Fraud and Unauthorised Activity.External Fraud losses relate to acts of a third party that are of a type intended to defraud, misappropriate property or circumvent the law. APRA, Prudential Standard APS 115, Jan 2013.
WBC.100.118.8040CONFIDENTIAL
Incident Management Procedures & Guidance Page 13 of 62
Note that a CROP should only be reported at the point at which a loan default has resulted in either a provision or write-off. The below decision tree should not be used in isolation of the wider Incident Management Procedure and Guidance, as an event that is not determined to be a CROP may still need to be recorded as an Operational Risk incident.
WBC.100.118.8041CONFIDENTIAL
Incident Management Procedures & Guidance Page 14 of 62
CROPs decision tree
**
**
**
**
**The actual accounting treatment may vary and is subject to final determination by Finance having regard to the particular facts of an incident, Group Accounting Policies, applicable Accounting Standards and any specialist advice.
WBC.100.118.8042CONFIDENTIAL
Incident Management Procedures & Guidance Page 15 of 62
CROPs - examples
Security not registered correctly *A customer goes into default. Collections begin recovery action and a security check reveals that the Bank has not correctly registered a mortgage over the property and is unable to recover the loan. CROP * excluded from Op Risk Capital
Fraudulent loan approval - Collections advise that they hold an account that has been referred to the fraud department. Investigation finds that customer provided fraudulent income and liability details (e.g. inflated income/reduced number of dependants) and are of an obvious nature that should have been identified by the Loan Assessor during loan approval. The customer is overcommitted and makes only a few repayments before going into default.CROP * excluded from Op Risk Capital
Inadequate loan approval * An unsecured loan for a customer falls into arrears and a provision is raised against the loan. A review of the file reveals that the assessor did not perform a credit check and hence, failed to detect previous credit defaults and judgements against the customer. The assessor*s error was considered a failure to follow procedure rather than intentional.CROP * excluded from Op Risk Capital
Significant Customer defaults * A significant business customer defaults on a loan. Investigations revealed that the default was due to the customer losing a major client and hence, the business was unable to meet existing obligations. There was no failure in the Bank*s lending processes. Not a CROP * Pure Credit Loss
Fraudulent loan approval - We lend $50m to a business and take security over a number of properties. The borrower defaults due to a decline in their business. In working through the default, it becomes clear that there was a process failure at origination and we had not correctly registered security over one of the properties and another creditor is able to take possession of that property and sells it. We end up recovering $20m from the borrower, so the total lending loss is $30m. However, if we had been able to take possession of the third property and sell it, we estimate that our losses would have only been $22m rather than $30m.CROP * excluded from Op Risk Capital * for $8m (amount that the process failure contributed to the loss).
WBC.100.118.8043CONFIDENTIAL
Incident Management Procedures & Guidance Page 16 of 62
2.6.2 Market Risk-related incidents caused by Operational Risk (MOPs)
Market Risk is the risk of loss/gain due to market prices changes on outstanding positions due to discretionary market judgements.
Operational Risk-Related Market events (MOPs) arise where there has been an Operational Risk event (e.g. keying errors, *buy* instead of *sell*) which either causes a market risk loss or gain.
By closing unwanted positions, losses or gains may be realised - depending on price movements in e.g. foreign exchange rates, interest rates, commodity or equity prices.
MOPs - examples
Foreign Exchange contract confirmation - A customer called to discuss a price on a forward contract to buy USD. A miscommunication between the customer and the dealer resulted in the dealer booking the deal, which the customer*s dealer later said should not have gone ahead. Westpac closed out the transaction at market rates and incurred a loss.
Incorrect beneficiary name * Overseas telegraphic transfer was actioned with the customer*s name misspelt. The customer advised that the payment was rejected by the overseas bank, which then sent the funds back to Westpac using a different exchange rate. There was thus a shortfall and also a risk that Westpac was liable for the lost interest amount.
Incident (trading position open) * Customer had call options in portfolios with May expiry date for which Westpac must sell underlying stock at AUD750k at expiry. However, underlying stock was not sold due to a miscommunication with the trading desk and reconciliation monitoring failed to pick this up. When discovered two days later, the market value is AUD500k. The action to sell is made with position closed at AUD450k with a total loss of AUD300k. The loss has to be recorded immediately when it is identified even if the positions are still open i.e. where the loss is AUD250k. The total loss amount can be amended later.
Unwanted positions (gain) - A misunderstanding between two dealers, results in the purchase of AUD500m of securities instead of AUD5m because confirmation protocols were not followed (i.e. the dealer was not advised of purchase). By the time the Westpac dealer has sold the unwanted securities, the market had moved 10 bps - resulting in a gain to Westpac of AUD330k.
Treatment of MOPs
MOPs must be recorded in ACCORD when the incident occurs, regardless of the trading position i.e. whether positions are open or closed. All MOPs must be captured in ACCORD and flagged as Market Risk incidents.
MOPs that are open events (open market risk position) must be included in the calculations of Traded market risk, Foreign exchange and Commodities (TFC) capital requirement.
MOPs that are closed events and resulting in an actual loss/gain (closed market risk position) must be treated as Operational Risk for the purpose of calculating Operational Risk regulatory capital.
WBC.100.118.8044CONFIDENTIAL
Incident Management Procedures & Guidance Page 17 of 62
MOP with open positions - example
Foreign Exchange keying error - FX Desk was meant to sell $USD100m of foreign currency but instead bought $USD100m of foreign currency due to a human error. Position is still open on the books (i.e. have not taken steps to unwind and close out).
Market or Operational Risk incident? This is a Market Risk-related incident caused by Operational Risk (MOP) * the Market Risk flag in ACCORD must be ticked.
Cause Analysis A keying error was made that allowed the trader to buy instead of selling $USD100m of foreign currency.
Capital Model Include the $USD100m in the open FX position for TFC Capital calculations.
MOP with closed positions - example
Foreign Exchange keying error - FX Desk was meant to sell $USD100m of foreign currency but instead bought $USD100m of foreign currency due to a human error. Position is not open on the books (i.e. have closed out position but in doing so have realised a loss due to market movement and associated costs of $USD1m).
Market or Operational Risk incident? This is a Market Risk-related incident caused by Operational Risk (MOP) * the Market Risk flag in ACCORD must be ticked.A financial impact of $USD1m must be created in ACCORD.
Cause Analysis A keying error was made that allowed the trader to buy instead of selling $USD100m of foreign currency.
Capital Model Include the actual loss of $USD1m in Operational Risk capital calculations.
2.7 Legal Risk related Operational Risk incidents (LOPs)
All Legal risk related incidents that impact Westpac are required to be captured in ACCORD in line with the internal incident reporting thresholds.
Legal risk related incidents include but are not limited to, exposure to fines, penalties or punitive damages resulting from supervisory actions, as well as ordinary damages in civil litigation, related legal costs and private settlements.
This applies to the full scope of Group activities and may also include others acting on behalf of the Group. Common Legal Risk incidents include all claims against the Bank that involve allegations of wrongdoing and/or liability and where payments are made to third parties to settle *claims*. It includes payments which are required as a result of legal proceedings as well as payments with no admission of liability or wrongdoing. By way of example:
Alleged staff misconduct; The provision of negligent or inappropriate financial advice; Failure to follow a customer*s mandate; Payments made to customers or other parties to settle claims, disputes or complaints.
Legal Risk related Operational Risk incidents - examples
The provision of negligent or inappropriate financial advice *The Financial Services Ombudsman (FOS) makes a determination that Westpac is liable to compensate a customer who has incurred a financial loss from investing in a financial product based on a personal advice recommendation from a bank teller (who was not authorised or trained to provide personal advice).
WBC.100.118.8045CONFIDENTIAL
Incident Management Procedures & Guidance Page 18 of 62
Payments made to customers or other parties to settle claims, disputes or complaints * A customer threatens to take legal action against Westpac following an opportunity cost they incurred as a result of a delay in trade settlement. Although Westpac does not believe that it is liable for the opportunity cost, a control breakdown has been identified and it is agreed to settle the claim as a goodwill gesture.
For litigated matters, or where a real threat of litigation exists, guidance should be sought from Legal concerning the wording of the incident. All legal advice should be clearly flagged so as to be excluded from discovery if so required.
At a minimum, at the point when a provision is raised in the Financial records or when a claim is settled is a LOP required to be recorded in ACCORD. Where a provision for the claim is raised, the date that a loss event is recorded for operational risk capital purposes should be consistent with, and no later than, the date the legal provision is established.
For incidents where no control breakdown can be identified, the incident can be recorded in line with the *Lite* treatment as prescribed in Section 8 * Incident Rectification.
For litigated settlements of insurance claims where no control breakdown or inadequate or failed internal processes has been identified, the portion of the provision or settlement relating to the policy claim amount should not be captured as a LOP. This claim related portion is considered Insurance Risk and should already be factored in the insurance capital. The portion that should be captured as a LOP, is any legal costs, penalties or punitive damages awarded, over and above the claim that is being litigated.
Treatment of LOPs prior to recordingIf the LOP is not yet due to be recorded within ACCORD, the following must still be performed as appropriate: Timely root cause analysis and remediation of the incident, this may be completed by Legal or the
Operational Risk Advisor. Consider relevant potential Legal exposures in the RCM and Scenario processes. If the LOP could have a potential material impact on the Operational Risk Regulatory Capital, contact
Group Regulatory Affairs as consideration should be given to bringing the relevant facts and circumstances of the LOP to the attention of APRA where appropriate.
If the LOP has potential to result in a regulatory breach, contact Specialised Compliance as consideration should be given to bringing the relevant facts and circumstances of the LOP to the attention of the relevant regulator as appropriate.
2.8 Outsourced Service Provider related Operational Risk incidents
All Outsourced Service Provider incidents that impact Westpac are required to be captured in ACCORD in line with the internal incident reporting thresholds.
An Outsourced Service Provider who provides mail-house services issues a large number of credit card statements to the incorrect customers resulting in a potential regulatory breach.
Outsourced Service Provider Incident - examples
An Outsourced Service Provider who provides cheque clearing services to the Group remits $500K to an incorrect Third Party. The funds are recovered however our contract with the Outsourced Service Provider indemnifies them for any losses over $250K. This is captured as a near miss incident as there was a potential loss of $250K to Westpac.
WBC.100.118.8046CONFIDENTIAL
Incident Management Procedures & Guidance Page 19 of 62
These will generally be identified and recorded by the Business Unit impacted by the incident (or by the Vendor where they have system access) however where they are Enterprise related (impacting more than one Business Unit) it may be appropriate for Enterprise Sourcing to record the incident. Guidance should be sought from your Risk Advisor.
Once an incident is recorded and verified in ACCORD, requirements for root cause analysis, remediation etc. are the same as with internal incidents, with the service provider undertaking a number of the underlying activities.
2.9 Operational Risk incidents related to projects
Project Related Loss Events could be due to project risks or operational risk incidents related to projects.
Project risk is the risk that the project does not provide the agreed functionality and/or complete within budget and/or complete on time. (e.g.: budget overruns, scope creep, project cancellations)
Operational Risk incidents related to projects arise as a result of project activity (i.e. impact business processes, resourcing and IT systems) which may prevent the business from meeting its objectives (e.g.: late or duplicate payments, frauds, guideline breaches).
Treatment of Project risk losses
Project risk losses incurred due to incorrect judgment and bad decisions are regarded as Strategic Risk and not treated as Operational Risk incidents as they are not Operational Risk based on the Basel definition. Budget overruns, *scope creep* and project cancellations are not considered Operational Risk incidents because the underlying judgments and decisions are similar to decisions to invest in new business, which may go wrong in a similar manner.
Operational Risk incidents that happen during the project or as a result of a project implementation are recognised as Operational Risk incidents and must be recorded in ACCORD when the incident occurs.
Operational Risk incidents related to projects - examples
Unexpected operational impacts during a project or as a result of project implementation * Ineffective testing or roll out causes unforeseen operational (e.g. people, process, system or customer) impacts or losses.
Project Risk examples not related to Operational Risk
Changes to a project scope or *scope creep* * A strategic decision is taken to modify a project scope during the course of a project and is appropriately approved by a governance committee and the original budget and timeframes are extended as a result.
Budget overruns and project cancellations * Failure to plan and manage the resources required for achieving project goals, leading to budget and/or time overruns, or a cancellation of a project.
Unrealised project benefits * Unrealised benefits relating to a project due to a failure to meet its scope or objectives are not considered to be losses.
WBC.100.118.8047CONFIDENTIAL
Incident Management Procedures & Guidance Page 20 of 62
3 Incident Management ProcessIf an incident meets the minimum reporting thresholds, the incident must be managed through all stages * from identification and recording, through verification, ownership, assessment and rectification to closure.
The roles of Incident Verifier, Incident Owner and Rectification Manager should be carried out by different people. These roles should be segregated to ensure the quality of data and an independent review. Where segregation of roles is not possible, guidance must be sought from GORI.
In accordance with the ORMF, Incident Verifiers are typically from the 2nd line of defence (i.e. Division Risk Advisors or Core Teams), whereas Incident Owners and Rectification Managers are from the 1st line of defence (i.e. the Business). For the specific roles and responsibilities of the IM process refer to the ORMP.
3.1 Incident Management Metric
IM activities must be progressed and escalated through to the acceptance of the ownership stage within five business days of the incident being identified.
For Technology, Fraud and Occupational Health & Safety incidents, these must be progressed and escalated through to the acceptance of the ownership stage within five business days of the incident being recorded within ACCORD. This is due to these incidents being initially recorded, owned and managed in different systems and recorded to ACCORD on a later date if the minimum reporting thresholds are met.
Timely identification and recording of Operational Risk incidents is critical for their effective management and an indicator of a *healthy* risk culture. Incidents must be escalated to internal stakeholders as soon as possible to enable them to commence mitigation activities. This will ensure that incidents and any potential control weaknesses are addressed in a timely manner with clear accountability. Additionally, it supports the requirement to advise regulators of reportable breaches within prescribed timeframes.
Incidents that have not been owned within the current five day policy requirement will be escalated weekly to CROs and on a monthly basis to the responsible Group Executive. In the event that ownership of an incident cannot be agreed between relevant business units, the Group Head of Operational Risk and Insurance will make a determination on ownership in consultation with the GM, Operational Risk and Assurance with notification to the Group CRO.
The above metric is supplemented by additional metrics which are distributed on a monthly basis by the Risk Systems & Data team:
Time-to-record: as an indicator of a *healthy* risk culture Time-to-verify: to encourage timely awareness and reporting Time-to-own: to encourage timely ownership and data quality of incidents in alignment with
Westpac*s risk culture of no surprises
Identification &Recording
Verification Ownership Assessment Rectification Closure
WBC.100.118.8048CONFIDENTIAL
Incident Management Procedures & Guidance Page 21 of 62
3.2 Incident Management * key roles & responsibilities
Incident Identifier
(refer to
section 4)
Raise all incidents reaching minimum reporting thresholds in ACCORD within required timeframe stated in Section 3.1 of the document.
Ensure sufficient information is entered into ACCORD to enable the nature of the incident to be understood, verified and assessed in ACCORD, including whether it has a compliance impact.
Identify the primary caused BU; and notify the Incident Verifier. Stakeholder engagement is KEY. Contact the necessary stakeholders e.g. Verifier, to discuss in person or via telephone.
Re-assigns incidents as a result of business restructures
Incident
Verifier
(refer to
section 5)
Confirm data integrity of all details contained in the incident. (Useability, accuracy, and completeness) ensuring that it is not a duplicate entry.
Confirm whether the incident meets the definitions of an incident. Review the details of the incident documented by the Incident Identifier and ensure
financial details captured are correct, the description is clear, including root cause contributing to the incident occurrence, update if required.
Consult with their BU Risk representative where required. Confirm the Impact classification of the incident. Assign an Incident Owner. Assign mandatory incident stakeholders based on the primary caused BU and
primary impacted BU. Assign a Rectification Manager. Confirm whether the incident should be flagged as *sensitive*. Confirm if the incident has been correctly flagged as credit risk or market risk
related if applicable. Confirm both the Basel Event Type and the Basel Business Line. The timely and accurate execution of verification is key as it drives the overall
workflow of the management of the incident, especially the timely investigation, assessment and reporting of regulatory/legislative breaches.
Obtain ACCORD updates from Legal where appropriate Assess whether the incident has a compliance impact.
Incident
Owner
(refer to
section
6 & 9)
Overall Accountability for the incident including ownership for life of the Incident. Manage and oversee the rectification of the incident until closure.
Prior to closure: Ensure that all assessments are completed including financial, risk and control,
legal, compliance and insurance. Confirm all linked issues and action items have been satisfactorily completed and
all necessary supporting documents are attached in ACCORD. Authorise closure of an incident.
WBC.100.118.8049CONFIDENTIAL
Incident Management Procedures & Guidance Page 22 of 62
Incident Rectification Manager
(refer to section 8)
Coordinate the development and execution of a rectification plan in conjunction with mandatory stakeholders.
Ensure that agreed action items from the assessments (if any) are incorporated within the rectification plan.
Confirm the financial impact of an incident and liaise with the BU Finance contact to ensure that the Final entries are accurately reflected within both ACCORD and the General Ledger.
Provide updates and status reports as required. Ensure that an accurate record is created in ACCORD. Ensure that the incident is rectified in a timely manner. Link the incident/issue to a risk and/or control in ACCORD. Recommend incident closure to the Incident Owner.
WBC.100.118.8050CONFIDENTIAL
Incident Management Procedures & Guidance Page 23 of 62
WBC.100.118.8051CONFIDENTIAL
Incident Management Procedures & Guidance Page 24 of 62
4 Incident Identification and RecordingAll employees have a responsibility to identify and record incidents. The person who identifies the incident or potential incident (*Incident Identifier*) must raise an incident in ACCORD immediately.
The key dates that are recorded in relation to incidents are:
*Incident recorded* date is created automatically when the incident is entered into the system. *Incident identified* is the date the Incident Identifier becomes aware of the incident. As incidents
are required to be recorded immediately, the *incident recorded* date should be either the same as the *incident identified* date or as soon as possible afterwards (i.e. within 24 hours).
*Incident occurred* is the date on which the incident took place. The *incident occurred* date can be the same as, or previous to, the *incident identified* date.
The *recording* step in the process is where information about the incident is entered in ACCORD. All incidents that meet the minimum reporting threshold must be captured in ACCORD6 - the incident identification form for ACCORD can be accessed via the intranet through the Resources & Tools link on the Westpac Intranet, then clicking on the *Record an Incident* link.
If employees are unsure whether to capture an incident, they should immediately contact their Manager, Operational Risk Advisor, Compliance Advisor or Group Operational Risk & Insurance for further guidance.
Entry of data that describes the incident is the first step in the IM process. The data should be accurate and where possible, sufficiently detailed to enable the Incident Verifier to understand the circumstances and causes of the incident in order to carry out their role.
At a minimum, the incident data must contain this information:
Name and contact details of the employee who identified the incident Date that the incident occurred (if an incident has occurred over a period of time, the initial date of
the incident should be entered) Date the incident was identified Name of the incident (the name of the incident should be succinct e.g. duplication of payment, credit
card fraud, non-compliance with licence condition, ATM outage etc.) Description of the incident - including the root cause of the incident where possible. Descriptions
may be read by a diverse audience not familiar with the circumstances of the incident, ranging from peers to Senior Management. Therefore the description should be accurate, succinct and in plain English. Avoid abbreviations and include all relevant information.
Potential financial impact7 * including whether the financial impact is negative (i.e. loss) or positive (i.e. gain) and the currency
Compliance impact * for all non-compliance with legal or regulatory requirements (including
6 Note for ML/TF incidents, as it is not possible to restrict access to an incident recorded in ACCORD to the core impacted business stakeholder group, it is critical that the appropriate level of detail is provided and that where necessary is restricted to ensure that the risk of inadvertently breaching the *Tipping Off* provisions of Section 123 of the AML/CTF Act is managed.7 The potential financial impact is the total gross financial impact for the incident at the time of identification i.e. the maximum financial impact that the incident could have, considering the control environment in which it occurred before any action has been taken to rectify.
WBC.100.118.8052CONFIDENTIAL
Incident Management Procedures & Guidance Page 25 of 62
AML/CTF related incidents) it is mandatory to tick the compliance box in ACCORD. If the Incident Identifier is uncertain whether there is a compliance impact or not, *unsure* may be selected. These incidents will then be assessed by a Compliance Assessor. Incident Identifiers should only select *No* in situations where they are certain that there is no compliance impact
Primary Caused BU, i.e. the BU believed to be responsible for the incident, and Primary Impacted BU, i.e. the BU believed to be most affected by the incident. (Refer to section 5. Incident Verification for definition.)
Product and Process (optional at this stage in the process) (see Appendices 4 and 5) Additional Caused and Impacted BUs (optional)
Business Units must train their staff to ensure they know what an Operational Risk incident is and what incidents need to be captured in ACCORD (refer to the Online Incident Management Training modules available in E-academy as well as quick reference guides located on the ACCORD support site ). Once the information has been entered into ACCORD, an e-mail notification (and a notification to the ACCORD inbox) is sent by the system to the Incident Verifier(s).
Throughout this process stakeholder engagement is KEY. Whilst it is important to escalate the incident within the required timeframes stated in this document, it is equally important to discuss events with those ultimately responsible for the management to ensure there are NO surprises or unnecessary delays.
When logging an incident, it is important to ensure the correct BUs are selected, as this determines who will be responsible for verification and ownership. It is important to communicate with these stakeholders, especially when logging incidents outside of your own BU. If in doubt, speak with your Risk representative.
Clear communication with stakeholders will save any additional rework and potentially prevent an incident from being unnecessarily rejected at verification.
4.1 Incident Identification and Recording * Example
Incident Identification
The relationship of a long-term customer was migrated through several different Divisions over a
period of years. The customer currently holds a range of facilities for his business (around
AUD20m). All facilities are essentially uncontracted, out of date and business finance agreements
have not been executed for several years.
The Incident Identifier should ask two questions to decide whether or not the incident should be
entered into ACCORD:
Is this an incident? As the incident resulted from inadequate client account management due
to multiple key staff changes, it is an Operational Risk incident.
Does the incident meet the minimum reporting threshold? As the customer facilities are
around AUD20m, the reporting threshold is met and the incident should be recorded in
ACCORD.
WBC.100.118.8053CONFIDENTIAL
Incident Management Procedures & Guidance Page 26 of 62
Example ACCORD entry:
Incident IDSystem generated (Important reference for future data entries related to the incident)
Incident Identifier June May
Identifier Phone No. 02 1234 5678
Incident Status System generated
Date Incident Recorded System generated
Date Incident Occurred 30 Nov 2008
Date Incident Identified 17 Feb 2012
Detailed Incident Description (including root cause)
Customer holds around AUD20m of facilities for his business of which are uncontracted and out of date, as agreements have not been executed for several years as a result of inadequate client account management across Divisions.
Primary Caused Business Unit Corporate Business Group
Primary Impacted Business Unit Corporate Business Group
Product/ProcessThese fields are optional for the Incident Identifier and if left blank must be determined by the Incident Verifier
Potential Financial Impact AUD20m * maximum possible loss is the total value of the facilities
Currency AUD
Financial Impact positive or negative Negative
Compliance Impact?No (If the Incident Identifier is unsure whether there is a compliance impact, *unsure* can be selected, triggering an assessment by a Compliance Assessor)
Initial actions undertaken to rectify or prevent recurrence of the incident?
Internal review of procedures and controls commenced where *handover* of customer from one Division to another occurs
Additional Caused BU/Additional Impacted BU No
WBC.100.118.8054CONFIDENTIAL
Incident Management Procedures & Guidance Page 27 of 62
5 Incident VerificationDivisions designate one or more employees as the *Incident Verifier* to be responsible for confirming the incident information that has been captured in ACCORD.
Incident Verifiers play a key role in the IM process as they assure the quality of incident data, i.e. that it:
Supports the management of incidents Ensures data integrity as it is an input into the Operational Risk Capital Model. (BU capital allocation
is dependent on the allocation of the Primary Impacted BU for Internal Loss Data)Meets regulatory requirements e.g. the requirement to provide regulatory reporting of internal incidents
by Basel Event Type
The key responsibilities of the Incident Verifier are to:
Confirm that the incident meets the minimum reporting threshold Confirm that there is no duplication of incidents Ensure the quality of the data provided (i.e. that it is usable, sufficiently detailed, accurate and
complete), such that the reader can obtain a clear understanding of the incident, (potential) impact and underlying cause(s). If there is not enough information or clarity as to what caused the incident, the Incident Verifier contacts the Incident Identifier for additional information
Review the potential financial impact and estimated financial impact
Financial Impact
Financial impact is defined as the direct loss or gain resulting from the actual operational risk incident as well as other associated direct costs. Note that within ACCORD the incident verifier must capture both the Potential and the Estimated financial impact.
Potential Financial Impact
The potential financial impact is the total gross financial impact for the incident at the time of identification i.e. the maximum financial impact that the incident could have. After verification, potential financial impact can no longer be amended.
Estimated Financial Impact
The estimated financial impact indicates what financial impact is required to be captured in the General Ledger. This number may be amended throughout the life cycle of an incident, until investigation confirms its final value.
Any cost that is incurred directly and solely because of the operational risk incident, not just the actual loss of e.g. fraud or processing error, should be included in the financial impact of the incident (see Appendix 1).
The estimated financial impact of an incident is required to be reviewed throughout the life of the incident until the incident is rectified and closed. The incident data for the estimated financial impact (together with other aspects of the progress of IM) must be updated in ACCORD, whenever there is a significant change.
Review and ensure that Primary Caused BU and Primary Impacted BU are completed correctly
WBC.100.118.8055CONFIDENTIAL
Incident Management Procedures & Guidance Page 28 of 62
Primary Caused Business Unit
The Primary Caused BU is the owner of the control or process weakness which gave rise to the incident. A control breakdown will include a situation where controls were not performed as required through, e.g. poor design, application or execution.Where an incident has been allocated to an incorrect BU Caused, the Incident Verifier must consult with the Incident Verifier from the correct BU Caused and agree an approach to the submission of the incident in ACCORD. The Incident Verifier should not reject an incident on the basis of the incorrect BU Caused being allocated.
Primary Impacted Business Unit
The Primary Impacted BU is the BU that bears the majority of the impact of an incident. Generally, this is the BU that bears the financial loss. It is important for this categorisation to be accurate, as the capital model uses the Primary Impacted BU. Where an incident affects a product or customer, the impacted BU is defined as the BU that earns the revenue from the affected product or customer and has an associated real economic profit target (a list of such BUs is maintained by the Division Finance teams).There can be multiple BUs that cause an incident and multiple BUs that are impacted by the incident; however, there will be only one Primary Caused BU and one Primary Impacted BU. The Primary Caused BU and Primary Impacted BU can be the same.
Ensure that the correct Basel Business Line (BBL) and Basel Event Type are recorded (see Appendices 2 and 3). The Basel Business Line (BBL) relates to the business area that bears the financial loss (i.e. the Primary Impacted BU) and the business activity that it relates to. This information is a key input into the Operational Risk Economic & Regulatory Capital Model. An incorrect choice could negatively impact your BU during the operational risk capital model reviews. It should be assessed at an incident level, see example below.
Basel Business Line mapping * example
Due to an oversight, incorrect fees for a margin lending product were calculated and communicated to retail customers. Margin Lending is the Primary Impacted BU and will bear the financial impact.
An incident is lodged and during verification the Incident Verifier decides that the correct BBL is *Trading & Sales* due to the fact that margin lending rolls up into the equities business at the GM level.
However, the BBL should be chosen at the incident level and not necessarily the GM level. The BBL for an individual incident must align with the business activity that it relates to (in this case margin lending to retail customers). In this instance, *Retail Banking* should be chosen as the correct BBL.
Incidents form part of the input data for the model and the correct categorisation will ensure that the incident is reflected correctly for capital allocation purposes. The Location is the country of occurrence rather than the city.
Ensure that the correct Product and Process have been chosen by the Incident Identifier. If this information was not provided, the Incident Verifier must enter this information (see Appendices 4 and 5).
Product and Process and the event classifications are aligned to the Basel Event Categories. The Product field consists of 12 Level 1 categories (e.g. equities) and further Level 2 product categories (e.g. exchange traded securities and derivatives) and the Process field consists of 17 Level 1 processes (e.g. deliver products and service).
Classify the incident by applying the criteria set out in the below table. Incidents must be classified into one of five categories: Extreme, Very High, High, Medium, or Low. The incident must be given the highest classification of any of the criteria satisfied.
WBC.100.118.8056CONFIDENTIAL
Incident Management Procedures & Guidance Page 29 of 62
Gross Financial Impact (actual
and/or potential)
Non-Compliance
(actual and/or potential)
CustomerImpact
StaffImpact
ReputationImpact
ExtremeGreater than
AUD20m
Significant impact to
most/all of customer base,
channels, regions or portfolios
Widespread industrial action
or significant impact to most/all
of our people
Sustained national adverse media attention and/or substantial long
term damage
Very High
Greater than AUD2m but less than AUD20m
Significant impact to most customers in one channel,
region or portfolio
Loss of key specialists or
team(s) or significant adverse
impact to our people in more than one line of
business
Sustained local media attention and/or
substantial medium to long term damage
High
Greater than AUD500k but
less than AUD2m
Any significant non-
compliance with Legal/ Regulatory
requirements including all
ML / TF incidents
Impacts some part of customer base, channel,
region or portfolio
Some impact to our people in
more than one line of business
Local adverse media attention and/or
substantial short to medium term damage
Medium
Greater than AUD100k but
less than AUD500k
More than two recurrences of
non-compliance previously
classified as Low
Impacts small part of customer base, channel,
region or portfolio
Some impact to our people in
more than one team within one line of business
Limited adverse media attention and/or some
short term damage and/or complaints to
industry complaints body
LowLess than AUD100k
Any non-compliance
Minimal impact to part of
customer base, channel, region
or portfolio
Minimal impact to our people and limited to local
team
No publicity and/or minor short term damage
For example, if an incident has a likely financial impact of less than AUD100k but impacts some part of our customer base, channel, region or portfolio, the incident must be classified as *high*.
Incident classification
Customer credited with incorrect amount * A manual customer request to transfer funds from a Westpac account to an external bank account is incorrectly completed and processed. Customer detects the transfer of AUD3m in the external account instead of AUD300k. Error was caused by numbers being unclear on the voucher (3 zeros after the decimal point). Classification: *Very High* as the financial impact is AUD2.7m.
Assign Mandatory Stakeholders for Primary Caused and Additional Stakeholders for Primary Impacted BUs based on the incident classification (see table above)
Notifying the Mandatory Stakeholders in a timely fashion supports Westpac*s risk culture and ensures that the priority given to the incident receives the appropriate level of oversight. In particular, the stakeholders from the risk function provide independent oversight of the incident and its management.
WBC.100.118.8057CONFIDENTIAL
Incident Management Procedures & Guidance Page 30 of 62
ACCORD will automatically generate and send a notification e-mail to each of the Mandatory Stakeholders that were entered by the Incident Verifier into ACCORD.
Assign an Incident Owner which is generally from the Primary Caused BU (the Business Unit in which the incident originated) in accordance with the incident classification table (see table above). As with all stages in the incident management process, communication with the necessary stakeholders is important. Discussing with the necessary members prior to assigning any ownership will assist in the matter being owned quickly and save any possible confusion.
Assign a Rectification Manager. Assigning a Rectification Manager should be done in consultation with the primary caused BU and proposed Incident Owner/Rectification Manager. Effective communication throughout this process is important.
Confirm the incident has been flagged correctly as credit risk (ref to the CROPs decision tree) or market risk (if applicable)
Assess whether the incident has a compliance impact and assign a Compliance Assessor where applicable. If the Incident Verifier is uncertain whether there is a compliance impact or not, *unsure* may be selected. These incidents will then be assessed by a Compliance Assessor. Incident Verifiers should only select *No* in situations where they are certain that there is no compliance impact
Determine if the incident should be flagged as *sensitive* i.e. if it contains sensitive information which should be restricted from normal users to access or view e.g. AML/CTF incidents or harassment cases
If there is a Legal contact for the incident, obtain all ACCORD updates from that Legal contact. Include the name of the Legal contact and only include updates that have been specifically provided as updates for ACCORD by the Legal contact. If subject to legal privilege, insert the disclaimer upon receiving advice from Legal
5.1 Incident Verification * Example
Incident Verification
On 22 Nov 2011, a Money Market Deal of GBP20m @0.42 Principal for XYZ Overseas
Bank and Interest repayable on maturity (GBP20,001,610.97) is accepted, with a start
date of 23 Nov 2011 and a Maturity Date of 30 Nov 2011.
On maturity, the payment is completed by a bank officer and released by her
supervisor before cut-off. While the payment is still in transit, a different securities
supervisor in the same team receives a phone call from XYZ Overseas Bank, advising
that the funds have not been received. Without checking SWIFT alliance, the supervisor
instructs another staff member to create the payment, resulting in the duplication of
the payment.
Example ACCORD entry:
Is this an Incident?Yes - Incident resulted from inadequate or failed internal processes (operational risk incident)
Minimum recording threshold met? Yes ≥AUD20k
Date Incident Occurred 30 Nov 2011
Date Incident Identified 02 Dec 2011
Incident Name Duplication of Payment
Detailed Incident Description (including root cause)
WBC money market deal processed by officer/released by Supervisor before cut-off. While in transit, a separate Supervisor
WBC.100.118.8058CONFIDENTIAL
Incident Management Procedures & Guidance Page 31 of 62
received call from customer advising non-receipt of funds. Supervisor ordered a new payment to be created, which was subsequently sent, resulting in duplication. Supervisor releasing duplicated payment had not checked SWIFT alliance, as per existing procedure, due to the timing of the payment. Root Cause: Existing procedures not followed
Primary Caused Business Unit Global Markets Operations
Primary Impacted Business Unit FX & C Trading
Product/ProcessForeign Exchange and Money markets (FX and MM)/Perform Settlements and Closing Activities
Basel Business Line Impacted (Level 1/Level 2) Payment & Settlement/External Clients
Basel Event Type (Level 1/Level 2)Execution, Delivery & Process Management/ Transaction Capture, Execution and Maintenance
Location Australia
Currency GBP
Potential Financial Impact GBP 20,001,610.97
Financial Impact positive or negative Negative
Estimated Financial Impact Zero
Classification of the incident Extreme
Flag the incident as Credit Risk related? No
Flag the incident as Market Risk related? No
Flag the incident as sensitive? No
Compliance Impact? No
Assign the Incident Owner, Rectification Manager, Mandatory Stakeholders and Additional Stakeholders
Done
Identification source Employee * Internal
5.2 Rejecting an incident
Should an incident not meet the required criteria, prior to rejecting an incident it is advisable to speak with the person who logged the incident. In some instances, the identifier may have had limited information at the time of logging and having a discussion (where appropriate) could save any unnecessary rework or confusion. If the information can be obtained and meets the materiality thresholds the verifier should update the incident with the new information and not reject it.
As previously advised, communication is the most important tool in the incident management process * it is important to discuss with the right stakeholders who can provide the correct or additional information.
WBC.100.118.8059CONFIDENTIAL
Incident Management Procedures & Guidance Page 32 of 62
6 Incident OwnershipThe Incident Owner must have accepted ownership of the incident within five business days of the incident having been identified.
Incidents that have not been owned within the current five day policy requirement will be escalated weekly to the responsible CRO and on a monthly basis to the relevant Group Executive. In the event that ownership of an incident cannot be agreed between relevant business units, the Group Head of Operational Risk and Insurance will make a determination on ownership in consultation with the GM, Operational Risk and Assurance with notification to the Group CRO.
For Technology, Fraud and Occupational Health & Safety incidents, these must be progressed and escalated through to the acceptance of the ownership stage within five business days of the incident being recorded within ACCORD. This is due to these incidents being initially recorded, owned and managed in different systems and recorded to ACCORD on a later date if the minimum reporting thresholds are met. The Incident Owner has the following responsibilities:
Take accountability for the incident; Retain the ownership for the life of the incident; Manage and oversee the rectification of the incident until closure; Take action to prevent reoccurrence;
It is important to note that taking ownership does not imply that the primary *caused* business unit will automatically bear all associated costs of the incident.
If the Incident Owner does not accept the incident within three business days of the incident verification date, an escalation e-mail notification will be sent to the BU Head of Operational Risk.
It is the responsibility of the BU Head of Operational Risk to remind the Incident Owner of their responsibilities in the IM process.
WBC.100.118.8060CONFIDENTIAL
Incident Management Procedures & Guidance Page 33 of 62
7 AssessmentsA Compliance or Insurance assessment may be required where the minimum requirements are met:
Compliance assessment * performed for all incidents where a *compliance impact‟ is flagged as either “yes‟ or “unsure‟. Compliance assessments must be performed by the Compliance Assessor (nominated by the Incident Verifier) for incidents with a compliance impact or a potential compliance impact (refer to section 2.3.2 Non-compliance threshold). Compliance assessments are also subject to the AFSL Breach Policy.
Insurance assessment * performed for all incidents where potential loss is equal to or greater than AUD250k. ACCORD will automatically send a notification to Group Insurance when an incident falls within the above criteria. The threshold is in line with the notification obligations that Group Insurance has to Westpac*s Underwriters.
The Incident Identifier, Verifier and/or Rectification Manager should escalate any potential compliance breaches immediately to their relevant Compliance Advisor to ensure timely assessment of the incident and reporting to the regulator if required.
The agreed issues and actions from the assessments (if any) must be incorporated in the rectification plan in ACCORD which is managed by the Rectification Manager.
8 Incident RectificationThe Rectification Manager coordinates the development and execution of a rectification plan in conjunction with the Incident Owner, Group Insurance, Compliance, BU Finance Representatives, and other relevant stakeholders.
The Rectification Manager must review recommendations from any assessments that had to be undertaken and incorporate them into the rectification plan. Additionally, the Rectification Manager must ensure the correct treatment and capture of financial information in ACCORD by working closely with the BU Finance representatives.
During the rectification process, it is important to remember that ACCORD is a system that assists with the workflow * it does not drive rectification activities on its own. Stakeholder engagement is critical to the process and incident identifiers and verifiers play a key role.
The responsibilities of the Rectification Manager include:
Assess the circumstances of the incident, identify the control weaknesses that led to the incident occurring and determine the potential direct financial impact
Link to an issue and develop the rectification plan in conjunction with the Incident Owner, BU Finance Representative and other stakeholders (as required) and implement actions from the rectification plan to prevent re-occurrence of an incident
Notify the relevant Control Owner(s) at the point at which an issue is raised Ensure that findings and recommendations from the Insurance and/or Compliance assessments are
incorporated in the rectification plan (where applicable) Ensure that information updates are captured in an accurate and sufficiently detailed manner over
the life of the incident
WBC.100.118.8061CONFIDENTIAL
Incident Management Procedures & Guidance Page 34 of 62
Notify the BU Finance Representative of the estimated direct financial impacts and agree the treatment of the financials - including all direct losses (and gains), costs (including provisions), recoveries and write-offs resulting from the operational risk incident
Consult with the BU Finance Representative to identify the correct accounts in the General Ledger (GL) and accurately reflect the financial impact in ACCORD
Gather all incident journal entries from BU Finance representative and update them accordingly in ACCORD
Check with the BU Finance representative that the ACCORD Incident ID has been included on the Journal Description
Incident Financial Entries status must be "Final" not "Draft* Fraud incident financial entries must be updated per FCM*s advice by the 5th and 17th business day
of each month Prior to closing an incident, confirm with the BU Finance representative if provisions have been
reversed out or whether a loss has been incurred and ensure financial entries are recorded correctly in ACCORD
Provisions in the General Ledger must be released before the incident is closed If there is a Legal contact for the incident, obtain all ACCORD rectification updates from that Legal
contact. Include the contact*s name and only include updates in ACCORD that have been specifically provided by the Legal contact
The Dispute Resolution Group should be consulted if the incident has possible confidentiality concerns (i.e. incident with prospects of litigation or an internal matter requiring confidentiality)
Link the incident to the relevant risk or control Provide regular status updates to the Incident Owner and relevant stakeholders Ensure that the incident is ready for closure and recommend incident closure to the Incident Owner
Procedures to be followed for these steps are set out in the Appendix item 7 and must be followed by the Rectification Manager, BU Finance Representative and Group Accounting.
Once a rectification plan has been formulated, the Rectification Manager should then create action items in Accord under the Issue to enable the individual components of the rectification plan to be managed. Each Action item is then assigned an action owner and this enables stakeholders to tracking progress of all rectification steps. Guidance on how to create an Action Item in Accord is outlined in the following hyperlink:
https://wbcspaces.intranet.westpac.com.au/risk/teams/orc/ACCORD/QRG/Issue%20and%20Actio
n%20Management.pdf
When inputting the action into ACCORD the rectification manager should ensure the action is clear and aligned with the rectification plan including due dates. The Rectification Manager should discuss and agree action item ownership prior to assigning an Action to an owner in Accord.
*Lite* treatment for incidents with potential or actual financial impact less than $50,000
Incidents with a potential or actual financial impact (whichever is the greater) of less than $50,000 (gross recovery) can be fast tracked in ACCORD via a *Lite* treatment. The *Lite* treatment is optional and it impacts the rectification stage of the incident management process only.
For *Lite* incidents, capturing the following data is no longer required:
Details of the root cause analysis and rectification plan.
WBC.100.118.8062CONFIDENTIAL
Incident Management Procedures & Guidance Page 35 of 62
Linking the incident to a risk, control, and issue (when closing an incident it can be linked to a dummy issue called *Lite Incident*).
Status updates and a final report about the rectification. Only a short closing comment is required to be entered.
The option to take a Lite approach will not apply to Compliance incidents for which full details are required to be entered as per the current procedures/guidance.
8.1 Incident rectification * Example
Incident Rectification
On 29 June 2007, a customer signed a 5 year fixed rate agreement. In December 2008
the customer enquired about a prepayment quote. An incorrect quote was provided by
the staff member and the customer went to Banking Ombudsman in February 2009.
Following the complaint, the bank agreed with the Banking Ombudsman
recommendation and the dispute was settled resulting in a loss.
Example ACCORD entry (depending whether or not the *Lite* treatment applies)
Incident with potential or actual gross financial impact > $50,000 AUD
Incident with potential or actual gross financial impact ≤ $50,000 AUD
(*Lite treatment*)
Is this an Incident?Yes - Incident resulted from inadequate or failed internal processes and people
(operational risk incident)
Minimum recording threshold met?
Yes ≥AUD20k
Date Incident Occurred 29 Jun 2007
Date Incident Identified 1 Feb 2009
Incident Name Pre-payment quote error
Detailed Incident Description (including root cause and rectification plan summary) 8
On 29 June 2007, the customer signed a 5 year fixed rate agreement. In December 2008 the customer enquired about a prepayment quote. An incorrect quote was provided by the staff member and the customer went to Banking Ombudsman in February 2009.Following the complaint, the bank agreed with the Banking Ombudsman recommendation and the dispute was settled resulting in a loss.
Root cause analysis: Lack of training provided to the staff member resulted in the miscalculation of the prepayment cost quote.
On 29 June 2007, the customer signed a 5 year fixed rate agreement. In December 2008 the customer enquired about a prepayment quote. An incorrect quote was provided by the staff member and the customer went to Banking Ombudsman in February 2009.Following the complaint, the bank agreed with the Banking Ombudsman recommendation and the dispute was settled resulting in a loss.
8 Details of the root cause analysis and rectification plan are not required when applying the *Lite* treatment to incidents with potential or actual
gross financial impact under $50,000 (this does not apply to Compliance incidents for which full details are required).
WBC.100.118.8063CONFIDENTIAL
Incident Management Procedures & Guidance Page 36 of 62
Rectification plan: - Provide additional training to staff
members on procedures- Improve Complaints review
process
Primary Caused Business Unit
WNZL Retail
Primary Impacted Business Unit
WNZL Retail
Product/Process Commercial & Industrial Loans / Deliver Products & Services
Basel Business Line Impacted (Level 1/Level 2)
Retail Banking
Risk Category 1 / 2 Execution, Delivery and Process Management / Customer/Client Account Management
Currency NZD
Potential Financial Impact
$100,000 $40,000
Financial Impact positive or negative
Negative Negative
Estimated Financial Impact
$75,500 $25,000
Classification of the incident
Medium Low
Flag the incident as Credit Risk related?
No
Flag the incident as Market Risk related?
No
Flag the incident as sensitive?
No
Compliance Impact? No
Identification source NZ Banking Ombudsman - External
Reason for closureSettlement with customer reached. Investigation and recommended actions complete.
Incident can now be closed
Add financial entries (with Final status) that correspond to the GL entries
YES YES
Status update for issues/actions associated to the incident
YES OPTIONAL
Link the incident to an Issue and associated actions
YESOPTIONAL
Only linkage to a dummy issue called *Lite Incident* is required
Linking the incident to a risk, control
YES OPTIONAL
WBC.100.118.8064CONFIDENTIAL
Incident Management Procedures & Guidance Page 37 of 62
9 Incident ClosureWhen all rectification activities have been completed, the Rectification Manager requests closure of the incident from the Incident Owner. The Incident Owner is accountable for ensuring the satisfactory resolution of an incident and makes the final decision whether it is ready to be closed.
In order to close an incident, the following must be completed by the Rectification Manager and then checked by the Incident Owner:
All financial entries have been recorded correctly in ACCORD All provisions in the GL have been released (i.e. balance is *zero*) Insurance and/or Compliance assessments have been completed (where applicable) All relevant supporting documents are attached to the incident All linked issues have been actioned and closed (this includes issues and actions related to
regulatory issues * confirm with Group Regulatory Affairs if unsure). Incident is linked to the appropriate risks or controls in ACCORD. This is optional for Incidents with
a potential or actual financial impact under $50,000 (net recovery).
If the Incident Owner accepts the closure, the incident will be closed and a notification sent to all stakeholders. However, should the Incident Owner not accept the closure within two business days, an escalation e-mail notification will be sent to the BU Head of Operational Risk. It is the responsibility of the BU Head of Operational Risk to remind the Incident Owner of their responsibilities within the IM process.
In closing the incident, the Rectification Manager and Incident Owner are providing confirmation that all policies and procedures have been followed and the information contained in ACCORD is complete and accurate.
10 Re-Opening of IncidentsA closed incident should only be re-opened if there is a need to update the incident due to new information. The Rectification Manager must request approval for re-opening the incident from the Incident Owner. The Incident Owner will receive the notification and decides to accept or reject the re-opening request within two business days, otherwise a notification will be sent to the BU Head of Operational Risk. Once accepted, a notification will be sent to the Rectification Manager and all Mandatory Stakeholders.
WBC.100.118.8065CONFIDENTIAL
Incident Management Procedures & Guidance Page 38 of 62
11 Data QualityAll people involved in the IM process must ensure that the minimum standards of data quality are met. The principles of these quality standards are set out in more detail in the Data Policy.
Role Responsibilities
Business Unit Finance
Confirms the financial impact of an incident and determines the accounting treatment Initiates actions to accurately reflect the financial impact of the incident in the GL Supports Rectification Managers to resolve reconciling items identified by the quarterly GL
reconciliation Assists in the GL reconciliation process Monitors the non-lending loss accounts and ensure all entries ≥ AUD20k have supporting
documentation from ACCORD
Operational Risk Leadership
Team (ORLT) Provide oversight and ownership of operational risk data quality issues
Divisional Operational
Risk & Compliance
Ensures the incident*s information is recorded accurately in ACCORD Coordinates the investigation of unreconciled items identified during the quarterly Source
System and GL reconciliations Provides quarterly ILD attestation (signed off by Division Head of Operation Risk) Facilitates the inclusion of Source System incidents into ACCORD Re-assigns incidents as a result of business restructures
GORI Owns and maintains the IM Policy and the Incident Management Procedure and Guidance Ensures Division Operational Risk awareness and understanding of the IM Policy Monitors compliance with the IM Policy
Risk Systems & Data team
Facilitates the GL and Source System reconciliations and the Legal Risk Review
Source System (FCM, STARS)
Owner
Reports incidents to Group l Risk at a minimum every month Provide a Source System extract to support the Source System quarterly reconciliation
ACCORD Support team
Helpdesk and ACCORD Intranet provide support and maintenance with regards to ACCORD access management, data changes (e.g. business restructures) and training materials
WBC.100.118.8066CONFIDENTIAL
Incident Management Procedures & Guidance Page 39 of 62
12 External ReportingIn each of Westpac*s jurisdictions, certain incidents have to be reported to regulators in order to comply with specific regulatory requirements. In Australia, Westpac reports incidents to:
APRA Australian Prudential Regulation Authority
ASIC Australian Securities and Investment Commission
AUSTRAC Australian Transaction Reports and Analysis Centre
OAIC Office of the Australian Information Commissioner (includes the Federal Privacy Commissioner)
RBA Reserve Bank of Australia
All potential compliance breaches should be escalated immediately to the relevant Compliance Advisor to ensure timely and appropriate reporting.
All breach reporting to Regulators continues to be made via Group Regulatory Affairs and is subject to the AFSL Breach Policy, Voluntary Disclosure & Legal Professional Privilege Policy and Managing Our Regulatory Relationships Policy.
In the case of a dispute, the final determination about whether an incident is reportable to regulators is made subject to the above mentioned policies or by the Chief Compliance Officer in conjunction with Group Regulatory Affairs.
13 Internal Escalation ReportingThe Systems & Data Team issue a report on a weekly basis to both the Operational Risk Leadership Team and the Enterprise Risk Leadership Team providing a notification and commentary on all incidents with a potential impact exceeding $1 million.
On top of the $1 million weekly reporting there is also a list of mandatory stakeholders provided (see Appendix item 6) who are required to be added to the incident in ACCORD for escalation purposes in line with the incident classification level (see Section 5).
WBC.100.118.8067CONFIDENTIAL
Incident Management Procedures & Guidance Page 40 of 62
Appendix 1 Direct vs. Indirect Financial ImpactCategory Direct Financial Impact Indirect Financial Impact
Staff Impacts
Costs of hiring or use of external parties to investigate and rectify an incident or to fill the role of permanent staff diverted to investigate and rectify the incident.Costs of work performed by an external party, under an existing contract, where the work diverts resources from planned activities.
Remuneration of internal staff with a direct involvement in the management of incidents as part of their normal role in the business.Incremental increase in staff costs as a result of a decision to change the processes, people or systems to mitigate risk.
Physical Asset Impact
Cost of replacing assets, e.g. IT hardware, property, damaged as a direct result of an operational risk incident and required to restore the business to the position prior to the incident * this includes rental costs for any equipment utilised during the recovery period.
Investment in assets, e.g. IT hardware, property, planned by the business and/or not directly related to operational risk incident.
Project Impact
Budgeted/actual administration, management and delivery costs associated with projects (formal and informal) established to support the rectification of an incident.
Incremental project costs due to approved scope changes, unforeseen/unexpected events, reprioritisation or inefficiencies and not directly associated with an operational risk incident.
Regulatory Impact
Direct value of fines and penalties imposed by the Regulators and other authorities. Costs arising from regulator-imposed remediation activities.
Costs associated with scheduled on-site visits by Regulators or other authorities or investigations or notifications.
Legal CostLegal fees incurred where external legal council is required to deal with specific matters associated with an incident.
Cost of legal advice obtained during the normal course of business, both internal and external.
Claims/ Compensation
Compensation or claim amount paid, e.g. as a result of a WH&S claim, failure to settle.Damages or costs arising from legal action against the Bank, e.g. for breach of duty or disclosure of confidential information.
Trading Impact
Direct value of loss/gain that has materialised as a result of an erroneous trade and any good value claims and interest on funding the position.
Fraud Impact Monetary loss/gain to the Bank as a result of fraud.
Revenue Reversal/ Negative Revenue
Reversal of revenue, e.g. fee or interest income, originally recognised in a prior accounting period/financial year.
Opportunity Cost
Opportunity costs foregone as a result of an operational risk incident.
Tax Impact
Adverse tax consequences arising from the incident, i.e. tax the Bank would not have been liable for had the incident not occurred or the resulting fines.Increased/decreased tax liability as a result of errors in the tax calculation, the supporting model or the underlying assumptions originally recognised in a prior accounting period/financial year.
Direct and indirect tax arising on losses/gains, costs and recoveries, e.g. corporate tax, GST.Increased/decreased tax liability as a result of errors in the tax calculation, the supporting model or the underlying assumptions originally recognised in the same accounting period/financial year.
WBC.100.118.8068CONFIDENTIAL
Incident Management Procedures & Guidance Page 41 of 62
Appendix 2 Basel Business Lines
BBL Category 1 Category 2 Examples of business activities
Structuring, issuance or planned placement of securities and similar instruments, not just for capital raising
Mergers and acquisitions (M&A), underwriting, privatisations, securitisation, research, syndications, IPOs, secondary private placements, holdings of debt (government, high yield) and equity
Examples of incidents that may be allocated to this BL:
Asset financing systems failed to pick up that company provided finance against an asset with the same serial number twice
Bond coupon payment to counterparty is missed (payment was not authorised) due to staff not knowing how to process the transaction
During the preparation of the prospectus for a debt raising, a factual error is included in the documentation
Errors when advising corporations on raising funds through bond, equity or money market issues
Corporate Finance Non-municipal and government clients - underwriting, privatisations, securitisations, debt (government & high yield), equity, syndications, IPOs, private placements, M&A, research
Municipal/ Gov. Finance
Underwriting * bonds, syndicated loans, asset backed securities (ABS), privatisations & disposals
Westpac is currently not active in this business line
Merchant Banking Banking that specialises in providing financial services such as accepting bills arising out of trade, underwriting management of new issues, providing advice on M&A, foreign exchange (FX), temporary financing for leveraged buy outs (LBO), portfolio management, credit syndication
This does not include credit/debit card facilities provided to merchants
1 Corporate Finance
Advisory Services Strategic planning in terms of balance sheet restructuring * acquisitions or disposals, establishment of subsidiaries for financial optimisation, tax planning
Westpac is currently not active in this business line
2 Trading & Sales Products/positions held in the trading book and corporate investments such as fixed income, equity, FX, commodities, credit trading, funding, lending and repurchase agreements and brokerage (other than retail brokerage)
Examples of incidents that may be allocated to this BL:
Contravention of ASX Business and Market Rules by failing to send out confirmations for equity securities transactions to its customers within the required timeframe resulted in fine imposed by the ASX Disciplinary Tribunal
Settlement failures due to operational risk events such as system outage
WBC.100.118.8069CONFIDENTIAL
Incident Management Procedures & Guidance Page 42 of 62
BBL Category 1 Category 2 Examples of business activities
A coding error caused a company*s quantitative investment model to improperly calculate risks for its proprietary trading
Losses are accumulated as a result of poorly documented OTC derivative contracts A rogue trader through fictitious transactions that concealed the bank*s risk
exposure causes the bank to lose a substantial amount
Sales Sales activities such as FX and commodities distribution or sales related activities for commodities, carbon and energy
Market Making Market maker (i.e. a company that quotes a buy as well as a sell price for financial instruments) trades equities, FX or commodities in order to make money from the bid-offer spread
Proprietary Trading Where any part of the Group, or an employee acting on behalf of the Group, actively trades financial instruments on its own account (i.e. using the Group*s funds as opposed to the customer*s money) with the aim of making a profit
Treasury Funding and capital management for the Group and its subsidiaries, portfolio risk management
3 Retail Banking9 Retail lending and deposit-taking, banking services, trust and estates * including the following retail products and services: bank branches, ATMs, issue and administration of cards, credit card terminals, savings accounts, loans, money transfers, cash transactions
Retail banking caters to retail clients i.e. Consumer and SME banking and includes Westpac SME (regional & metro), St George (enterprise & business) and Bank SA (enterprise & business), Bank of Melbourne (enterprise & business)
Examples of incidents that may be allocated to this BL:
Incorrect calculation of interest payments due e.g. deposit accounts Incorrect retail loan documentation is processed and approved Robbery and destruction of ATM Losses due to physical damage to branches and unrecoverable loans due to natural
disasters such as earthquakes or floods Credit card or cheque fraud Bank reached settlement with customers that complained about excessive
overdraft fees. Bank commonly processed larger transactions before smaller ones regardless of when they occurred. As a result, some customers unexpectedly
9 The general differentiation between Retail Banking and Commercial Banking is as follows:
Retail Banking: All Westpac Group consumer banking activity servicing the banking needs of Affluent and Mass Retail customers (including PFS and Private Banking Customers). All Westpac Group business banking activity servicing the banking needs of business customers with turnover < $5Mil revenue.
Commercial Banking: All Westpac Group business banking activity servicing the banking needs of business customers with turnover > $5mil revenue (i.e. all WIB customers and those RBB Commercial Banking customers falling within this criteria).
Please note that this wording has been provided for general guidance. Where there is uncertainty, contact Group Operational Risk & Insurance for further assistance.
WBC.100.118.8070CONFIDENTIAL
Incident Management Procedures & Guidance Page 43 of 62
BBL Category 1 Category 2 Examples of business activities
incurred overdraft fees
Retail Banking Retail loans, retail deposits, banking services, trusts & estates, investment advice
Private Banking Private Banking offers high net worth clients a broad range of products and services that can be specifically tailored to them (e.g. private loans, private deposits, banking services, trusts & estates, investment advice)
Westpac Private Bank: AUD2.5m balance sheet and/or AUD400K gross incomeSt George Private Clients/Bank of Melbourne Private: AUD2m balance sheet and/or AUD250K gross income
Card Services Merchant, commercial and corporate cards, private label, credit & debit cards
4 Commercial Banking10
Commercial Banking Commercial lending and deposit-taking, project finance, real estate, export finance, trade finance, factoring, leasing, lending, guarantees and bills of exchange
Commercial banking caters to wholesale clients, ranging from SME and middle market banking to corporate and institutional customers and includes Westpac Commercial (metro), Commercial and Agribusiness (regional), St George (corporate/key accounts), Bank SA (major clients) and WIB Corporate Business Group and Institutional business
Examples of incidents that may be allocated to this BL:
Fraud perpetrated on letters of credit An overdraft facility was established by Operations without
following the correct procedure. The loan was established at the default product rate rather than commercial base rate, resulting in the business having to refund the client overcharged interest
Incorrect commercial loan documentation is processed and approved
10 The general differentiation between Retail Banking and Commercial Banking is as follows:
Retail Banking: All Westpac Group consumer banking activity servicing the banking needs of Affluent and Mass Retail customers (including PFS and Private Banking Customers). All Westpac Group business banking activity servicing the banking needs of business customers with turnover < $5Mil revenue.
Commercial Banking: All Westpac Group business banking activity servicing the banking needs of business customers with turnover > $5mil revenue (i.e. all WIB customers and those RBB Commercial Banking customers falling within this criteria).
Please note that this wording has been provided for general guidance. Where there is uncertainty, contact Group Operational Risk & Insurance for further assistance.
WBC.100.118.8071CONFIDENTIAL
Incident Management Procedures & Guidance Page 44 of 62
BBL Category 1 Category 2 Examples of business activities
5 Payment & Settlement
External Clients Payments and collections, funds transfer, clearing and settlement (Westpac does not undertake securities clearing)
Payment and settlement losses related to Westpac*s own activities should be incorporated in the loss experience of the affected business line
Examples of incidents that may be allocated to this BL:
Incorrect payment/ transfers of client monies Incorrect payment / allocation of cash/securities to
multiple accounts operated by one customer/client Incorrect position statements and valuations
This BL includes escrow, depository receipts, securities lending (customers) and corporate actions, issuer and paying agent activity
Examples of incidents that may be allocated to this BL:
Inadequate segregation of clients* money from bank*s money i.e. commingling of funds
Custody
Corporate Agency
6 Agency Services
Corporate Trust
Westpac is not currently active in this line of business
The key difference between discretionary and non-discretionary fund management lies in the level of management responsibility that the investors give to the service providers
Examples of incidents that may be allocated to this BL:
Unit Pricing errors / valuation errors Investing in instruments outside the investment mandate e.g. certain types of OTC
derivatives
Discretionary Fund Management
Pooled, segregated, retail, institutional, closed and open discretionary funds management and private equity In discretionary funds more control is given to the service provider who takes decisions on behalf of the investor
7 Asset Management
Non-discretionary Fund Management
Pooled, segregated, retail, institutional, closed and open non-discretionary funds management and private equityCompanies that have their own in-house investment management teams are often more involved in investment decisions and therefore exercise more control and give less discretion to the service provider
8 Retail Brokerage Retail Brokerage Execution of brokerage services including services related to the administration
Examples of incidents that may be allocated to this BL:
WBC.100.118.8072CONFIDENTIAL
Incident Management Procedures & Guidance Page 45 of 62
BBL Category 1 Category 2 Examples of business activities
Unauthorised access or use of client accounts Incorrect order execution
10 Corporate Items(Referred in ACCORD as *Not Otherwise Allocated*)
Corporate Items This business line captures incidents which do not fall into specific business lines but can only be categorised at the corporate level
These are primarily functions that arise in the Corporate Core and impact the group as a whole e.g. Group Risk, Group Finance, Group People, Finance & Secretariat as well as Technology
Examples of an incident that may be allocated to this BL:
Dispute over a technology sourcing agreement impacting the whole bank
Example of an incident that should not be allocated to this BL:
Technology system error that causes ATMs to be temporarily unavailable. As retail customers are impacted, this should be mapped as a retail banking incident
WBC.100.118.8073CONFIDENTIAL
Incident Management Procedures & Guidance Page 46 of 62
Appendix 3 Basel Event Types
Basel Event Type
(Category 1)
Definition Activity examples
Internal Fraud Losses due to acts of a type intended to defraud,misappropriate property or circumvent regulations, the law or company policy, excluding diversity/discrimination events, which involves at least one internal party.
Transactions not reported (intentional) Transaction type unauthorised Mismarking of position (intentional) Fraud/credit fraud/worthless deposits Theft/extortion/embezzlement/robbery Misappropriation of assets Malicious destruction of assets Forgery Cheque kiting Smuggling Account take-over/impersonation, etc. Tax non-compliance/evasion (intentional) Bribes/kickbacks Insider trading (not on ADI*s account)
External Fraud Losses due to acts of a third party that are of a type intended to defraud, misappropriate property or circumvent the law.
Theft/robbery Forgery Cheque kiting Hacking damage Theft of information (with monetary loss)
Employment practices and workplace safety
Losses arising from acts that are inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims or from diversity/discrimination events.
Compensation, benefit, termination issues Organised labour activity General liability (slip and fall, etc.) Employee health and safety rules events Workers* compensation All discrimination types
Clients, products and business practices
Losses arising from anunintentional or negligent failure to meet a professional obligation to specific clients, including fiduciary and suitability requirements, or from the nature or design of a product.
Fiduciary breaches/guideline violations Suitability/disclosure issues (e. g. know your client
requirements) Retail customer disclosure violations Breach of privacy Aggressive sales Account churning Misuse of confidential information Lender liability Antitrust Improper trade/market practices Market manipulation Insider trading (on the ADI*s account) Unlicensed activity Money laundering Product defects (unauthorised, etc.) Model errors
WBC.100.118.8074CONFIDENTIAL
Incident Management Procedures & Guidance Page 47 of 62
Failure to investigate client per guidelines Exceeding client exposure limits Disputes over performance of advisory activities
Damage to physical assets
Losses arising from loss ordamage to physical assets fromnatural disaster or other events.
Natural disaster losses Human losses from external sources (e.g. terrorism or
vandalism)
Business disruption
Losses arising from disruption of business or system failures.
Hardware Software Telecommunications Utility outage/disruptions
Execution, delivery andprocess management
Losses arising from failedtransactions processing, process management, relations with trade counterparties and vendors.
Miscommunication Data entry, maintenance or loading error Missed deadline or responsibility Model/system mis-operation Accounting error/entity attribution error Other task mis-performance Delivery failure Collateral management failure Reference data maintenance Failed mandatory reporting obligation Inaccurate external report (loss incurred) Client permissions/disclaimers missing Legal documents missing/incomplete Unapproved access given to accounts Incorrect client records (loss incurred) Negligent loss or damage of client Assets Outsourcing Vendor disputes
WBC.100.118.8075CONFIDENTIAL
Incident Management Procedures & Guidance Page 48 of 62
Appendix 4 Product
No. Product * Level 1 Product * Level 2 Description
Equity Issuance
Bond Issuance
Structured Products Issuance
Securitisations
Private Placements
1 Capital Raising
Syndications
Structuring, issuance or placement of securities and similar instruments
Mergers & Acquisitions2
Corporate Finance Services Corporate Advisory Services
Advisory services regarding corporate structure and strategic decisions
Fixed Income
Equities
Commodities
FX and Money Markets
Repos and Securities Lending
Investment Funds
OTC and Securitised Interest Rate Derivatives
OTC and Securitised Credit Derivatives
OTC and Securitised FX Derivatives
OTC and Securitised Equity Derivatives
OTC and Securitised Commodity Derivatives
Other OTC and Securitised Derivatives
3Exchange Traded Securities & Derivatives
Exchange Traded Futures and Options
Trading and sale of all securities and derivatives either via an exchange or over-the-counter
Retail Cards
Vehicle Loans
Vehicle Leasing
Student Loans
Mortgages
Home Equity Loans and Lines of Credit
Other Secured Consumer Loans
Other Unsecured Consumer Loans
Other Consumer Leasing
4Retail Credit
Personal standby letters of credit or guarantees
Financing and related services
Commercial & Industrial Loans
Commercial Real Estate Loans
Construction, Acquisition & Development Loans
Commercial Leases
Commercial Cards
Card Merchant Services
Project Finance Loans
Trade Finance
Standby Letters of Credit, Bank Guarantees,Bankers Acceptances
5Commercial Credit
Factoring
Financing and related services
WBC.100.118.8076CONFIDENTIAL
Incident Management Procedures & Guidance Page 49 of 62
No. Product * Level 1 Product * Level 2 Description
Structured Lending
Consumer Current Accounts
Consumer Notice Accounts
Commercial Bank Accounts
Commercial Time & Term Accounts
6 Deposits
Investment Products
Bank account, deposit services, *plain vanilla* investment products
Retail Cash Management
Commercial Cash Management
Electronic Payments
Manual Payments
Clearing
Settlement
7
Cash Management, Payments & Settlements
Exchange Services
Client management of own cash in/outflows, all forms of payments, clearing, settlement and exchange services
Custody Service
Corporate Actions Services
Corporate Trusts
Prime Brokerage
Financial and Estate Planning
Discretionary Portfolio Management
Execution-only Services
Advisory Portfolio Management
8Trust/ Investment Management
Lombard Credits
Various services related to administration and management of estates, trusts, assets, portfolios, etc.
Fund Administration
Traditional Institutional Asset Management 9Investment Products
Alternative Institutional Asset Management
Investment management, execution, administration, operational management services
Full Service Brokerage10 Brokerage
Self Directed Brokerage
Investment advisory, management and execution services
11Non-Banking Products
Non-Banking Products
Other products/services not generally considered part of a bank or investment bank's offering, e.g. insurance
12Not Product-related
Not Product-relatedUsed for situations not involving products or services
WBC.100.118.8077CONFIDENTIAL
Incident Management Procedures & Guidance Page 50 of 62
Appendix 5 Process
No. Process * Level 1 Description
1
Develop, Design and Maintain Products, Services and General Business Capabilities
Identify, design, produce and maintain new financial products, services and capabilities, including the models and methodologies upon which they are based
2
Market Products and Services Promote the firm and/or its products and services, through general marketing or advertising, including the publication of standard fees, rates charges, and prices for specific products and services
3
Sell or Reach Agreement to Conduct Specific Business
Sell or offer specific products and/or services of the firm in discussions with individual clients, including the quotation of firm or indicative fees, rates, charges, prices, or the like, with the intent of concluding a specific deal for specific product sales or service delivery
4Take on and Maintain Clients/ Customers, Counterparties & Trade Relationships
Onboard and maintain client or counterparty accounts, including related due diligence, data and documentation
5
Capture and Document Transactions Record transaction-specific terms and instructions in the processing systems of the firm; also produce related transaction documents
6
Deliver Products and Services Deliver or fulfil agreed-upon products and services, including the set-up and maintenance of transactions and required arrangements, and agreed-upon non-transaction financial services (trust administration, financial advisory services, sale of research as a product, etc.)
7
Perform Settlements and Closing Activities
The definitive exchange or transfer of assets, currency or other property (commonly in exchange for value), and related transactional mechanics
8Perform Transaction Accounting Record transaction and/or position information
in the company*s accounting records/general ledger
9Manage HR Manage human resources, apart from direct
business management functions
10Manage IT Acquire or design/develop information
technology and implement security and incident response measures
11Manage Financial Reporting and Taxation
Perform financial reporting and control, based on (but not including) general ledger entries made during Transaction Accounting
WBC.100.118.8078CONFIDENTIAL
Incident Management Procedures & Guidance Page 51 of 62
No. Process * Level 1 Description
12Manage Capital, Funding & Liquidity Manage the firm's capital account, liquidity and
balance sheet
13Manage Suppliers and Outsourcing Service Suppliers
Selection, on-boarding, management, and oversight of third party vendors and outsourcing service providers
14Manage Physical Assets and Facilities Provision and management of physical facilities,
equipment and safe workplace environments
15Manage Compliance, Legal, Governance and Audit
Establish and maintain firm policies, standards, procedures, codes of conduct, and associated compliance controls and testing procedures
16
Manage Risk Systems Establish risk management processes and methodologies (apart from standard business process and supervisory controls) to record, monitor, evaluate, control or manage risk exposures within the firm
17Not Process Related Used for situations where no specific process
was involved
WBC.100.118.8079CONFIDENTIAL
Incident Management Procedures & Guidance Page 52 of 62
Appendix 6 Mandatory Stakeholders
Incident Owner Mandatory Stakeholders Additional Stakeholders (optional)
Extreme
Group Executive (GE) from Primary Caused BU or their delegate - with oversight by the Board
Chief Executive Officer Group Chief Risk Officer Primary Impacted BU Group Executive (GE) GM, Operational Risk & Assurance Primary Caused BU GM Risk Primary Impacted BU GM Risk GM Corporate Affairs and Sustainability Group Head of Operational Risk &
Insurance Chief Compliance Officer & Group General
Counsel
Chief Financial Officer Head of Group Regulatory Affairs
(where non compliance with regulatory requirements)
Group Head of Financial Crime and Fraud 11
Very High
Group Executive (GE) from Primary Caused BU or their delegate - with oversight by the Chief Executive Officer
Group Chief Risk Officer Primary Impacted BU Group Executive (GE) GM, Enterprise Risk Primary Caused BU GM Risk Primary Impacted BU GM Risk Group Head of Operational Risk &
Insurance Chief Compliance Officer & Group General
Counsel
Primary Caused BU Chief Financial Officer
Primary Impacted BU Chief Financial Officer
Head of Group Regulatory Affairs (where non compliance with regulatory requirements)
Group Head of Financial Crime and Fraud 12
High
General Manager (GM) from Primary Caused BU or their delegate * with oversight by the Group Executive
Primary Caused BU Group Executive (GE) Primary Impacted BU Group Executive (GE) Primary Impacted BU GM Group Head of Operational Risk &
Insurance Chief Compliance Officer & Group General
Counsel
Primary Caused BU GM Risk Primary Impacted BU GM Risk Head of Group Regulatory Affairs
(where non compliance with regulatory requirements)
Primary Caused BU Head of Compliance Primary Impacted BU Head of
Compliance Group Head of Financial Crime and
Fraud 13
Medium
General Manager (GM) from Primary Caused BU or their delegate
Primary Impacted BU GM
Primary Caused BU GM Risk Primary Impacted BU GM Risk Group Head of Operational Risk &
Insurance Chief Compliance Officer & Group
General Counsel
Low
GM-1 from Primary Caused BU or their delegate
Appropriate Operational Risk, Compliance and/or AML/ CTF employees from both the Primary Impacted and Primary Caused BUs
Note: Mandatory stakeholders correspond to the highest positions in the escalation chain. It is expected that people at levels below would have either been involved in the management of the incidents or been cascaded down information from the mandatory stakeholders.
11 For all AML/CTF and/or ML/TF incident only.
12 For all AML/CTF and/or ML/TF incident only.
13 For all AML/CTF and/or ML/TF incident only.
WBC.100.118.8080CONFIDENTIAL
Incident Management Procedures & Guidance Page 53 of 62
Appendix 7 Rectification Procedures on Financial ImpactThe following procedures must be followed to support the rectification of an incident. They will ensure information about the financial impact of the incident is captured accurately and completely.
Identify
The Rectification Manager must identify the losses (and gains), costs and recoveries associated with, and expected from, an incident at initial identification, when there is a significant development, on closure and overall. ACCORD allows the financial assessment of the incident to be recorded in foreign currencies (if applicable). When utilising this function, all financial assessments are to be entered in the chosen currency. When the currency field is chosen, the following fields are impacted:
Potential Financial Impact Estimated Financial Impact Current Provision Held Total gross amount written off to date Recoveries Net amount written off to date
In identifying the losses (and gains), costs and recoveries the Rectification Manager should understand the following:
The types of losses (and gains), costs and recoveries can be identified, even if the dollar value may be difficult to determine with absolute certainty, as they are often a direct result of the Incident or the actions of the Rectification Manager/Incident Owner to manage or rectify the Incident
The direct losses (and gains), costs and recoveries of an incident will vary depending on the specific nature of the incident. The following tables will assist Rectification Managers to determine the losses (and gains) and costs to be included in the financial impact
Rectification Managers will need to apply their professional judgement and consult with all relevant stakeholders (refer to Mandatory Stakeholder table in Appendix 6), including their Business Unit Operational Risk Team, if they are uncertain about specific losses (and gains) or costs
The incident may be similar to other incidents already experienced at Westpac and an examination of similar incidents in ACCORD may assist in identifying the types of losses (and gains), costs and recoveries to be expected
The actual losses (and gains), costs and recoveries of an incident may only become apparent as the incident develops and it may not be possible to identify all losses (and gains) and costs when the incident is identified. Some losses (and gains) and costs may only become apparent on, or close to, closure and these must be captured in the financial assessment of the incident and reconciled to the General Ledger
The losses (and gains), costs and recoveries will take three forms from an accounting perspective:actual losses (and gains) that have been realised/actual costs that have been incurred (i.e. the *total amount written off to date*, being amounts written off/written back to the profit and loss account)known losses (and gains) and costs that have yet to be realised/incurred (i.e. *current provisions held* being provisions in the balance sheet based on the definition and criteria contained in Group Accounting Policy * Provisions: Policy No 4)
WBC.100.118.8081CONFIDENTIAL
Incident Management Procedures & Guidance Page 54 of 62
potential losses (and gains) and costs that have yet to be realised and may never crystallise (i.e. contingencies are in ACCORD as part of the potential loss, but are not included in the General Ledger).
The financial impact functionality of ACCORD will assist the Rectification Manager to capture and track the losses (and gains), costs and recoveries associated with an operational risk incident over time.
Confirm
The Rectification Managers must meet with their Business Unit Finance Representative, at a minimum every month or following a significant development, to confirm the financial impact of all open operational risk incidents and confirm the correct accounting treatment (i.e. the amounts to write-off/be written back, or provided for in the General Ledger).
The Business Unit Finance Representative will need to be aware of and understand the previous accounting treatment and associated entries in the General Ledger, including amounts written off/written back to date, provisions established and receipts/payments made.
Journal entries relating to an operational risk incident must have an ACCORD reference in the journal description. The standard journals required to account for an Incident are as follows:
To write-off a loss or cost to the profit and loss account:
Dr NLL profit and loss account (refer table 1 below) Cr Asset/liability account (based on the specific nature of the incident and the losses/costs involved)
To establish a provision:
Dr NLL profit and loss account (refer table 1 below) Cr NLL provision account (refer table 2 below)
To write-off against a provision:
Dr NLL provision account (refer table 2 below) Cr Asset/liability account (based on the specific nature of the incident and the losses/costs involved)
To write back a provision:
Dr NLL provision account (refer table 2 below) Cr NLL profit and loss account (refer table 1 below)
Remember, if a provision has been raised * it must be reversed before an incident is closed.
How to enter financial entries when the account number is not listed in ACCORD:
GL Account Number and Name - do not select *501019 - Op Risk Other" when your financial entry GL account number is not 501019
1. In the GL Account Number and Name field - Select "Other"2. In the GL Account Other field - type in the financial entry GL account number (for example: 754054)
Example in table below displays:
WBC.100.118.8082CONFIDENTIAL
Incident Management Procedures & Guidance Page 55 of 62
Most commonly used accounting treatments:
The following tables show examples the IM General Ledger accounts for WBC:
1. Non Lending Loss accounts in the Profit and Loss Account
Account no. Description
751020 NLL * Fraud & Staff Malpractice
751060 Non Lending Losses * Other * W/O Direct
751061 NLL *Other * Recoveries * Direct
751070 Non Lending Losses * Chargeback W/O Direct
751026 NLL * Litigation/Legal Costs * W/O Direct
751021 NLL * Fraud & Staff Malpractice Recoveries Direct
751022 NLL * Fraud * Recoveries
751031 NLL * Theft/Robbery Provision
751032 NLL * Theft/Robbery W/O Direct
751035 NLL * Process Errors * W/O Direct
751036 NLL * Workers Compensation W/O Direct * Work Cover Payments
751037 NLL * Workers Compensation W/O Direct * Payments
751038 NLL * Workers Compensation W/O Direct * Legal Costs
751039 NLL * Workers Compensation W/O Direct * Settlement Costs
751047 NLL * Fines
751059 Non Lending Losses * Chess Tolerance
2. Non-Lending Loss provision accounts in the Balance Sheet
WBC.100.118.8083CONFIDENTIAL
Incident Management Procedures & Guidance Page 56 of 62
Account no. Description
268010 NLL Provision - Fraud & Staff Malpractice
268012 NLL Provision - Litigation & Legal Costs
268020 Provision - Non Lending Losses - Workers Compensation
268030 NLL Provision * Other
3. Lending Loss accounts (Bad Debts * Credit Loss Accounts)
Account no. Description
500501 IFRS - Provision - Impaired - Individual Assessment - Gross - Funding
500502 IFRS - Provision - Impaired - Individual Assessment - Funding - Discount
500503 IFRS - Provision - Impaired - Individual Assessment - Gross - Writeback
500504 IFRS - Provision - Impaired - Individual Assessment - Discount - Writeback
500015 IFRS - Provision - Economic Funding Accrual
500016 IFRS - Provision - IBNR - Funding Accrual
500017 IFRS - Provision - Impaired - Collect Assessment - Funding Accrual
500018 IFRS - Litigation Provisions Funding
501010 Bad Debts Written Off Direct - Other
501012 Bad Debts Written Off - Other - Manual Entry
501014 IFRS - Loans write off with recoveries
501015 Personal Loan Fraud Losses
501020 Bad Debts Written Off Direct - Small Balances
501035 Bad Debts Written Off Direct - Fraud
501100 Write Offs - Legal Recovery
502010 Bad Debt Recovered Direct
502011 Bad Debts Recovered Direct - Legal & Recovery Costs
502012 Bad Debts Recovered Direct - Credit - ABG - Manual Entry
502013 Bad Debt Recovered - Debt Sales
502014 IFRS - Loans write off with recoveries - Recovery
All direct costs associated with the incident must be identified and captured. . Rectification Managers must communicate with Business Unit Finance and Finance Business Services on a regular basis to ensure these financial impacts are captured accurately and completely.
Update
The Business Unit Finance Representative must provide the Rectification Manager with the cost centre number, General Ledger account number, effective date and Dr amount or Cr amount in which currency for each entry in the General Ledger to allow ACCORD to be updated immediately. The Rectification Manager must update ACCORD to reflect all financial entries, and reflect the correct estimated financial impact.
WBC.100.118.8084CONFIDENTIAL
Incident Management Procedures & Guidance Page 57 of 62
Review
Group Accounting, in FBS, must review the amounts (≥ AUD20k) written off to, or provided for in, the NLL accounts in the General Ledger (refer to tables 1 and 2 above) and must only process those entries with a print of the ACCORD incident attached. Any rejections must be provided to the Business Unit Finance Representative.
The Business Unit Finance Representative must discuss any rejections with the Rectification Managers, confirm that the losses (and gains) and costs are related to an operational risk incident, obtain supporting information from ACCORD as appropriate and liaise with Group Accounting in FBS to allow resubmission. The Rectification Manager must capture any changes in ACCORD General Ledger reconciliation.
WBC.100.118.8085CONFIDENTIAL
Incident Management Procedures & Guidance Page 58 of 62
Appendix 8 ACCORD financial reconciliation performed by Risk Systems & DataThe purpose of the ACCORD Financial Reconciliation is to ensure accuracy and completeness of Internal Loss Data in ACCORD for use in regulatory reporting, management reporting and capital model use. The reconciliation process is conducted in January, April, July and October each year following the corresponding calendar quarter just ended. The reconciliation must be completed within four working weeks after quarter end to meet regulatory reporting timelines.
The reconciliation process is performed by checking various data sources against ACCORD. Data sources used are: the General Ledger and material source systems * Nemesis (Fraud), STARS (WH&S) and ACCORD Internal Loss Data for financial impact details. All data for reconciliation purposes is managed by the Enterprise Risk Systems & Data team to check accuracy and completeness, with any exceptions identified sent to Division Operational Risk teams.
Business Units and their Rectification Managers are responsible for ensuring that the losses (and gains), costs and recoveries for each incident are complete and accurate in ACCORD. Where an exception is raised during the reconciliation process for review, appropriate action must be taken to ensure ACCORD is correct. Division Head of Operational Risk must ensure that the reconciliation between ACCORD, the General Ledger and the material source systems is completed satisfactorily each quarterly with all exceptions actioned.
For further guidance, please refer to the Quarterly ACCORD Financial Reconciliation Guidelines:
https://wbcspaces.intranet.westpac.com.au/risk/teams/gr/imforum/ILD%20RECONCILIATION/Forms/AllItems.aspx
WBC.100.118.8086CONFIDENTIAL
Incident Management Procedures & Guidance Page 59 of 62
Appendix 9 ML/TF incident significant /systemic criteriaSignificant or systemic incidents involve one or more of the following: any potential TF related incident systemic breach(es), control failings and/or weaknesses related to the AML/CTF requirements
and/or obligations potential employee involvement increased employee risk due to the customers involved incidents that have the potential to cause a significant reputational impact to Westpac; and in addition to at least one of the other elements listed, suspected ML amounts laundered of greater
than AUD 1 million.
Cases involving suspected ML/TF activity meeting the above criteria will rarely contain the same characteristics or involve customers posing the same type and levels of ML/TF risk. Each case should therefore be treated on its own merits. The following two examples are representative only of the type of case that should be also raised and managed in ACCORD as an AML/CTF breach and linked to the impacted risks and/or controls resulting from identification of the ML/TF incident.
Significant ML/TF activity * example 1
A criminal investigation initiated by the Australian Federal Police identified that a Westpac individual customer and a number of associated companies, also with Westpac accounts, was engaged in cash structuring activity. Cash structuring involves the systematic deposit or withdrawal of cash amounts under $10,000, designed to avoid Threshold Transaction Reporting (TTR) obligations. It is commonly connected to the sale of illegal drugs (deposits) and tax avoidance (withdrawals).Further analysis revealed that in an 18-month period, the customer made more than 1,100 cash withdrawals from three separate Business One accounts, at more than 50 closely located Westpac branches. All withdrawals were for less than $10,000, and in total amounted to over $20 million in cash. Deposits to the accounts were made electronically and by cheque, from businesses linked to farming and fruit / vegetable picking, an industry in which cash is often used to pay illegal labour and avoid tax obligations.Impacted controls in more than 100 instances, frontline staff had not met manual TTR reporting obligations of the more than 50 branches involved, only 5 had lodged SMR reports indicating a training
and awareness gap the customer*s details had not been correctly verified at onboarding.
Significant ML/TF activity * example 2
A number of Detection Scenario (DS) alerts in the Transaction Monitoring Program (TMP) were triggered when the transactional activity in XYZ Pty Ltd*s account suddenly changed. For the first 5 months, there were low level transactions, consistent with a new business. Then in a 6 week period in excess of $2.8 million was deposited in cash. The cash transactions were in amounts of at least $50,000 and conducted by third parties at 20 branches across Australia. On the same day as a cash deposit *John*, an employee of the company, would go to his local branch and send the funds to a single entity in Hong Kong.Impacted controls some branches had not captured any *Person Transacting* (PT) information for the third party
cash deposits *John* was not the employee*s real name and the individual concerned had never been
properly identified the IFTI*s processed for *John* contained the details of a generic bank suspense account and
not the complete payer information of XYZ Pty Ltd as defined in the AML/CTF Rules only 1 of the 20 branches where cash deposits took place submitted an SMR * noting that the
cash smelt strongly of detergent - indicating a potential training and awareness gap.
WBC.100.118.8087CONFIDENTIAL
Incident Management Procedures & Guidance Page 60 of 62
Appendix 10 Glossary of terms
Term Description
ACCORD ACCORD is Westpac Group*s integrated enterprise-wide system for the Operational Risk Management Framework, encompassing operational risk, controls, compliance plans, action plans and Sarbanes-Oxley (SOX) processes. ACCORD is the source of data for the Westpac Group operational risk capital model.
ADI Authorised Deposit-taking Institution.
Australian Financial Services License (AFSL)
An AFSL is a license for any Australian businesses involved in the provision of financial services. It is issued by the Australian Securities and Investments Commission as required by the Corporations Act 2001.
Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) * AML / CTF policy and addenda
Details the responsibilities of Westpac Group*s employees and contractors in relation to AML/CTF, including the requirement to report suspicious matters or behaviours in accordance with Division procedures.
Australian Prudential Regulation Authority (APRA)
APRA is the prudential regulator of banks, insurance companies and superannuation funds, credit unions, building societies and friendly societies.
Capital Allocation The process for distributing calculated operational risk capital to each Division and line of business using loss history and scenario analysis.
Capital Calculation Outlines the practice of calculating operational risk capital.
Compliance incidents A compliance incident is an actual, likely or imminent contravention or breach of: * a compliance obligation of any applicable law or regulation;* an industry standard or code, such as the ASX Market Rules;* a material contravention of an internal policy or procedure.
An incident must be recorded in the relevant system for all instances of non-compliance, or likely non-compliance, with legal or regulatory requirements, and escalated to a Compliance Assessor.
Mandatory reporting requirements are in place regarding significant breaches of AFSL obligations, which are based on significance assessment criteria. Refer AFSL Breach Policy for further guidance.
Contraventions of other regulatory requirements, such as the ACL, Privacy Act etc., have no mandatory reporting requirements. These may, however, be subject to other reporting considerations, including those relevant to our external auditors, and should be considered as to whether a voluntary report is required, to ASIC or any other regulator, as per the *Voluntary disclosure and legal professional privilege policy*.Compliance incidents are defined as instances of non-compliance with a legal or regulatory requirement or, licence condition. Compliance breaches are incidents with sufficient significance that we are required to notify a regulator of our non-compliance, where significance is determined by considering factors such as the number and frequency of similar incidents, or the impact of the incident on the bank*s
WBC.100.118.8088CONFIDENTIAL
Incident Management Procedures & Guidance Page 61 of 62
Term Description
ability to supply the financial services covered by its licence.
Credit Risk The potential for financial loss where a customer or counterparty fails to meet their financial obligations to the Group
Data quality The measure of the requirement for data to meet the specific needs of business users. Completeness, accuracy, validity, timeliness and consistency are the chief measures of data quality. Data quality efforts tend to focus on validating or transforming data to improve the efficiency of enterprise applications.
Estimated Financial Impact
Estimated Financial Impact is the expected or known total gross financial impact for the incident. It can be a moving value through the life-cycle of an incident until investigation confirms the final value. The estimated financial impact value indicates what financial impact is to be captured in the General Ledger.
External loss data (ELD)
Qualitative and quantitative information about historical operational risk losses experienced by other financial institutions. Westpac sources external loss data from independent suppliers such as the Operational Riskdata eXchange (ORX) and Fitch First database.
Financial impact The direct loss or gain resulting from incidents, as well as other direct costs associated with the incident.
GL General Ledger.
Gross Financial Impact
The financial impact before an allowance is made for a recovery.
GORI GORI is the Group Operational Risk & Insurance team which has the following responsibilities: Owns and maintains the IM Policy Ensures Division Operational Risk awareness and understanding of the IM Policy Monitors compliance with the IM Policy
Issue Control failures with potentially serious implications for Westpac. Issues can be systemic problems (i.e. where the same or similar problem occurs multiple times indicating an underlying problem).
Lending loss A loss arising from the provision of credit (as defined in the Westpac Intranet Consumer Credit Policy Manual).
Mark to Market To make an accounting adjustment to reflect unrealised gains and /or losses on book values of a particular investment.
Market risk The risk to earnings from changes in market factors, such as foreign exchange rates, interest rates, commodity prices and equity prices.
Non-lending loss Any loss that has not arisen as a consequence of an impaired credit decision.
Operational Risk Management Framework (ORMF)
The organisational structures, processes and systems used in identifying, assessing, measuring, monitoring, controlling and mitigating operational risk.
Potential Financial Impact
Potential financial impact is the total gross financial impact for the incident at time of identification. It is the total financial impact that the incident could have considering the control environment in which it occurred before any action has been taken to rectify.
WBC.100.118.8089CONFIDENTIAL
Incident Management Procedures & Guidance Page 62 of 62
Term Description
Primary caused BU The Business Unit owner of the control or process weakness which gave rise to an incident.
Primary impacted BU The Business Unit that bears the majority of the impact of an incident. Where an incident affects a product or customer, the impacted BU is defined as the BU that earns the revenue from that product or customer and has an associated real Economic Profit target. The list of such BUs is maintained by the Division Finance teams.
Related Operational Risk events
Where an operational risk event occurs and directly causes one or more subsequent events to occur. These related events would not have occurred had the original operational risk event not occurred first. These related operational risk loss events must be grouped and recorded as one incident.
Risk Systems & Data team
Facilitates GL and Source System reconciliations.
Sensitive incident An incident that contains *sensitive information* where it may relate to WH&S, *Legal Privilege*, or fraud. *Sensitive incidents* and their information have restricted user access in ACCORD.
Significant Non-compliance
Non-compliance that is material with regard to:
The number or frequency of similar previous non-compliance Westpac*s ability to provide the financial product or service covered by the
obligation The actual or potential financial loss to our clients, or Westpac, arising from the
non-compliance Any other matters prescribed by legislation Extent to which the incident suggests compliance arrangements would be
considered inadequate Time taken to identify incident/breach
WBC.100.118.8090CONFIDENTIAL
top related