Risk Culture at CIBC Mellon

Integrity, risk awareness and ethical conduct

February 2016

Identification, measurement, and reduction of risk through our Risk Management Program

Integrity, risk awareness and ethical conduct are key pillars of CIBC Mellon’s corporate culture. As an operational transaction-processing organization, we know that careful attention to organizational risk governance, transparency, and personal accountability are critical to helping affirm to clients that we are upholding the trust placed in us. Clients take confidence from CIBC Mellon’s efforts to foster and enforce a strong risk and internal control framework, and we take pride in reinforcing a strong risk culture across all areas of our business.

A Strong Risk Culture

CIBC Mellon plays a critical role in supporting clients and providing a solid infrastructure for Canada’s capital markets, and recognizes that its financial stability through market cycles is essential. To this end, CIBC Mellon is committed to maintaining a strong balance sheet that is highly liquid and characterized by superior asset quality. CIBC Mellon works to achieve a strong capital structure that is able to support its risk taking activities and to absorb potential losses. We are committed to continuous improvement across our organization, and our efforts to manage risk at CIBC Mellon through our Risk Management Framework are no exception.

Risk management framework has been designed to:

  1. Confirm appropriate limits are in place to govern CIBC Mellon’s risk taking activities across all risk types.
  2. Incorporate risk appetite principles into strategic decision- making processes.
  3. Monitor and report key risk metrics to senior management and the Board of Directors.
  4. Provide a continuous and forward-looking capital planning process to support CIBC Mellon’s risk taking activities.

CIBC Mellon monitors its risk across a wide array of risk categories. Often the main focus of managing operational risks in a given organization is to prepare for and react to significant events – however, while institutions can be well prepared for these high- profile events, the majority of operational losses come from day-to-day processing. These operational losses must be accounted for and administered through an active, well-designed and well-managed risk framework.

CIBC Mellon’s Risk Management Framework promotes the identification, measurement, management, monitoring and escalation of all credit, market and operational risks across the enterprise. This allows all business units, including CIBC Mellon’s governance partners and risk management group, to assure the Board of Directors, shareholders, and regulators that there is a strong risk management structure at CIBC Mellon.

Our risk management group provides oversight and ongoing monitoring of the risk management framework to support the placement of a continuous risk management process within the company. The framework works to identify and appropriately disclose and escalate risk issues. This is reflected in an independent Quarterly Risk Attestation Report to the CEO and Board of Directors, signed by the Chief Risk Officer.

Enhancing the Traditional Risk Management Process: Operational Control

Many organizations focusing on risk management operate by utilizing three lines of defence to alleviate risk – risk owners, risk oversight and risk assurance. These lines of defence are used by many companies and reflect a traditional, effective approach to identifying and mitigating risk.

In keeping with CIBC Mellon’s efforts to continuously strengthen our business, we have developed upon industry risk management trends to enhance the classic three-lines- of-defence approach and have introduced a strengthening component to the first line of defence: our Operational Control group. This group works collaboratively with risk owners to design, test and support compliance within the risk owner operational groups, effectively strengthen our risk management and further enhance risk controls through stringent oversight.

While not a method exclusive to CIBC Mellon, our enrichment of the customary three lines of defence with a fourth component serves to benefit clients by providing further confidence that our risks are being appropriately and effectively identified and measured, and that the proper controls are being designed and implemented.

Three Lines of Defence


Overview of CIBC Mellon’s Risk Management Program

CIBC Mellon’s Risk Management Program focuses on collaboration with peers and partnering groups to support risk management excellence and risk awareness throughout the organization. The program implements risk coverage over all levels of the company through multiple lines of defence. The key components of the Risk Governance Program help us foster and reinforce a strong risk culture. These components include the Risk and Control Self-Assessment (RCSA), the Operational Risk Event report (ORE), and the evaluation of risk through the Operational Risk Committee’s strategic review of the business units.

Line One–Risk Owners

Our business units are accountable for the management of all risks present in their operations. The businesses are the risk owners and are responsible for identifying, mitigating, monitoring and reporting all risks as appropriate, and making risk management a fundamental responsibility in their line of business.

Every business unit at CIBC Mellon has a designated governance officer (DGO) who is a senior manager with a clear view into the operations of the business units they oversee. All employees are responsible for personally monitoring and reporting risk to their DGO. The DGO is also responsible for completing the Risk and Control Self-Assessment (RCSA). The RCSA is one of the key components of the Risk Management Program, and is a tool used by business units as an inventory and assessment of all business risks, and the controls in place to mitigate each risk. The RCSA process is overseen by the Risk Management Department and Operational Control.

Enhancing Line One–Operational Control

Our Operational Control group further enhances the traditional three lines of defence in order to provide additional confidence to stakeholders regarding risk management at CIBC Mellon.

Our new Operational Control group’s role is to validate that the controls used by business operations in daily processes are both designed appropriately and working effectively. The group works to promote the identification, measurement and management of risk throughout all aspects of the company via four processes:

  • Control testing
  • Operational loss processes
  • Providing risk and audit support (including the RSCA)
  • Control and risk awareness training

Operational Control–A Deeper Look

In April 2015, CIBC Mellon launched its Operational Control group as a reflection of the company’s commitment to reinforcing a strong risk culture across all business units. Operational Control does this by validating that the controls used by the business units in their daily processes are designed appropriately and working effectively. Operational Control’s mission is to be a valued business partner in the overall risk and internal control framework, taking steps to validate that the control culture across all areas of CIBC Mellon is embedded, sound and meeting client needs. By strengthening the level of personal responsibility and collaboration, the group works to achieve risk management excellence and risk awareness by every employee. This is key to maintaining both our high standards of governance and our clients’ trust, as a strong risk culture works to reduce risk opportunities across all levels of business.

Operational Control works within the scope of four main initiatives: control testing, facilitation of the Operational Loss Process, risk and audit support, and control and risk awareness training.

Control Testing

Operational Control develops and executes on defined test plans and works with business units to highlight areas of concern within each unit, helping to drive consistent, compliant and effective control standards across the company. The group is also responsible for assisting the Audit department with producing the Service Organization Control (SOC1) Report. This report provides assurances regarding the strength of internal CIBC Mellon controls that may be relevant to clients’ financial statements. The SOC1 Report contains information about the policies and procedures pertaining to custody, accounting and recordkeeping functions that are designed, implemented and documented by management. The SOC1 Report is provided to clients and their auditors to affirm that our internal controls have the necessary design and operational effectiveness to achieve the controls’ stated objectives.

Facilitation of the Operational Loss Process

The Operational Loss Process analyzes errors, near-misses and significant events to seek root causes of problems and put appropriate control measures in place to mitigate future recurrence. Operational Control works within the Operational Loss Process to track loss events for trends, monitor action plans, and advise on next steps, working collaboratively with business units to as they implement process improvements.

Risk and Audit Support

Operational Control partners with business units to review the accuracy and completeness of Risk and Control Self- Assessments (RCSA), provide audit and regulatory support and embed an effective risk culture throughout the company. They do this by monitoring and validating expected standards or business-specific Key Risk Indicators (KRIs). These are comparable, predictable and informational measurement tools used to track the risk of an activity, and are implemented by each business unit. Operational Control seeks valid explanations for notable KRIs, analyzes the data for trends, adjusts testing plans in accordance with KRI results, and flags operational control issues and trends in management reporting.

Control and Risk Awareness Training

Educating employees is key to mitigating risk at the operational level. Operational Control assists business units by coordinating control and risk awareness training to educate staff about risk controls. Additionally, the group identifies and advocates practice improvement opportunities and lessons learned by hosting meetings to review new policies and procedures, losses, and key risk indicators and support business units as they proactively work to advance their culture and practices.

Key tools used to promote risk management:

  • Control and risk awareness training
  • Key Risk Indicators (KRI)
  • Operational Risk Committee's Strategic Risk Review
  • Operational Risk Event Report
  • Personal ownership by each employee
  • Risk and Control Self-assessment (RCSA)

Operational Control is represented on various key committees including the Executive Management Committee, the Information Management Committee, the Governance and Control Committee and the Operational Risk Committee at CIBC Mellon. Operational Control will continue its efforts in 2016, working to promote risk awareness by every employee and to embed a sound risk culture throughout the company.

Institutional investors seek the confidence of effective risk management from their asset servicing providers. The features within Operational Control come together to benefit clients by strengthening controls, risk management expertise, and risk culture to contribute to the overall protection of clients’ information and accounts. Clients benefit from a well-governed organization with a strong commitment to continuous improvement on the safekeeping of data and the mitigation of risk.

Line Two–Risk Oversight

Although primary risk oversight at CIBC Mellon is the responsibility of Risk Management, all governance partners provide support, guidance and direction to business units on issues that require specialized knowledge and skills. Governance partners within CIBC Mellon include Corporate Compliance, Legal, Finance, Information Technology, Human Resources, Internal Audit and Business Continuity Management They provide input into new strategic initiatives of the various lines of business, and set standards to promote consistency of approach in the management and the reporting of risks that fall under their area of expertise.

All governance groups are represented on the Operational Risk Committee and help oversee risk management activities within the business to provide an appropriate level of assurance that relevant risks are being identified and reported.

The Risk Management group, in conjunction with Operational Control, oversees the RCSA process. They review each RCSA as it is completed by each DGO, supporting continuity throughout the business. Each business unit has a DGO to self-identify risk and analyze the risk profiles of their own business unit, as these individuals are the most familiar with the day-to-day risks in their respective areas. The RCSA is a working document for each business unit, and is updated by Risk Management and Operational Control with regular reviews to include changes such as new businesses processes, product launches or updated regulations.

Another key component for the Risk Management Program is the reporting of Operational Risk Events (ORE) overseen by the Risk Management department. Should an error occur, CIBC Mellon’s business units are required to complete an ORE report – regardless of whether there is a financial impact, and regardless of the size of the impact. This enables the capture of “near miss” scenarios. ORE reports are used to categorize operational errors, and are then analyzed for patterns and trends to identify and implement additional or new controls to reduce future errors. Any control deficiencies identified must be incorporated into the relevant RCSA, along with the action plan to address the deficiency.

Members of the governance groups also participate on CIBC Mellon’s new Initiative Committee and new Business Committee – this enables them to view and assess relevant risks before any new project is undertaken or a new client is on-boarded. This involvement from the start of the business cycle offers the opportunity for the governance groups to provide valuable input and suggestions regarding controls to reduce risk. Involvement at an early stage also allows the business units to be better informed, so that the RCSA is better able to capture any change to the risk and controls – the availability of better information leads to better controls.

Operational Risk Committee (ORC)

Members of CIBC Mellon’s ORC include representatives from Risk Management, Corporate Compliance, Internal Audit and Business Continuity as well as CIBC Mellon’s Executive Management Committee. All business units present to this committee, providing information on their inherent risks, control strategies, and emerging risks and trends which may be causing risk to increase. As the third key component of the Risk Governance Program, the formal review of operational risk through this committee supports the appropriate governance group oversight while ensuring business line management maintains accountability for identifying and managing the risks inherent in the products, services and activities for which they are responsible. The committee identifies common areas of concern across all business units by identifying cross-functional risks.

Line Three–Risk Assurance

Risk Assurance includes the Internal and External Audit functions, which report to the Audit Committee of CIBC Mellon’s Board of Directors. These functions provide the committee, the Board and CIBC Mellon’s senior management with independent and objective risk assurance regarding the adequacy and effectiveness of CIBC Mellon’s risk management, internal control and governance processes. The Audit functions conduct risk-based audits examining controls over operational, technology and financial controls, as well as compliance with regulatory provisions. The audit cycle is based on residual risk assessments. Audit results and the status of remediation of audit observations are reported to senior executives, both parent audit groups and quarterly to the Audit Committee of the Board.

Our Commitment To Protecting Our Clients, Colleagues And Company

The breadth of coverage from our multiple lines of defence come together to provide a sound structural risk framework and strengthen CIBC Mellon’s risk culture by embedding the core concept of personal responsibility into every line of business. The purpose of CIBC Mellon’s Risk Governance Program is to deliver value to clients by providing assurance that our risks are being appropriately identified, measured, managed and reported. By fostering a strong control environment and reinforcing risk awareness and risk culture across CIBC Mellon, we are not only protecting our company, employees and our reputation, but also serving the interests of our clients and the many stakeholders in Canada’s capital markets who we work with every day.

More information to learn more, contact your relationship executive, account manager or Corporate Communications at corporate_communications@cibcmellon.com or call us at 416-643-5000.

This article is provided for general information purposes only and CIBC Mellon and its affiliates make no representations or warranties as to its accuracy or completeness, nor do any of them take any responsibility for third parties to which reference may be made. This article should not be regarded as legal, accounting, investment, financial or other professional advice nor is it intended for such use.

About CIBC Mellon

CIBC Mellon is a Canadian company exclusively focused on the investment servicing needs of Canadian institutional investors and international institutional investors into Canada. Founded in 1996, CIBC Mellon is 50-50 jointly owned by The Bank of New York Mellon (BNY Mellon) and Canadian Imperial Bank of Commerce (CIBC). CIBC Mellon's investment servicing solutions for institutions and corporations are provided in close collaboration with our parent companies, and include custody, multicurrency accounting, fund administration, recordkeeping, pension services, exchange-traded fund services, securities lending services, foreign exchange processing and settlement, and treasury services.

As at December 31, 2023, CIBC Mellon had more than C$2.6 trillion of assets under administration on behalf of banks, pension funds, investment funds, corporations, governments, insurance companies, foreign insurance trusts, foundations and global financial institutions whose clients invest in Canada. CIBC Mellon is part of the BNY Mellon network, which as at December 31, 2023 had US$47.8 trillion in assets under custody and/or administration. CIBC Mellon is a licensed user of the CIBC trade-mark and certain BNY Mellon trade-marks, is the corporate brand of CIBC Mellon Global Securities Services Company and CIBC Mellon Trust Company, and may be used as a generic term to refer to either or both companies.

For more information – including CIBC Mellon's latest knowledge leadership on issues relevant to institutional investors active in Canada – visit www.cibcmellon.com or follow us on Twitter @CIBCMellon.