RBA: Assessment of Chicago Mercantile Exchange Inc. against the Financial Stability Standards for Central Counterparties Standard 16: Operational Risk

CME maintains an ORMF, which outlines the policies and steps to identify, assess and manage operational risks facing CME Clearing Division. The policy is part of the CME Group-wide Enterprise Risk Management program and complements the CME Clearing Division Risk Management Framework. Components of the ORMF were reviewed by the CHRC and the Board in the second quarter of 2014, and will now be reviewed at least annually thereafter in their review of the Risk Management Framework (see CCP Standard 3), or when significant changes are made.

The main areas of operational risk identified by CME Clearing Division include IT risk, vendor risk, compliance risk, process risk and financial reporting risk.

CME Clearing Division uses a ‘three lines of defence’ approach to monitor and manage operational risks.

• Primary and immediate responsibility for identifying and managing risks lies with operational department-level management and staff.
• The second line of defence comprises Group-wide Corporate Compliance and ERM processes. The purpose of the ERM program is to promote and facilitate risk management across CME Group by establishing processes to consistently identify, communicate, assess, respond to and monitor enterprise-relevant risks. The objective of this approach is to allow the first line of defence (operational functions) to establish risk management processes that meet necessary operational requirements, while also supporting the needs of enterprise-wide risk management. CME Group has established a Risk Management Team (RMT) as a cross-functional forum for identifying, communicating, assessing, responding to and monitoring enterprise-relevant risks facing CME Group. The RMT is comprised of senior representatives from each division designated by the Senior Leadership Team and meets at least monthly. The Clearing House Operations function has representation on the RMT where relevant risks are discussed. Governance and oversight of the ERM program is provided by the Senior Leadership Team and the CME Group Audit Committee. Furthermore, the ORMF is overseen by the Clearing House Risk Management team.

• The third line of defence comprises internal and external audits of the implementation and performance of the ORMF. Internal audits are conducted according to the annual Global Assurance Plan (see CCP Standard 2.7). Risk management and control processes are audited annually, while other specific functions are audited less frequently. CME Group's Global Assurance Group is overseen by CME Group's Board-level Audit Committee. Where appropriate, CME Group complements the work of the Global Assurance Group with external audits. See also CCP Standard 2.7 for more detail on CME's internal audits.

CME Clearing Division uses these processes to produce a library of risks, as well as related items including relevant policies and procedures, regulations, controls, tests and indicators. The ERM team coordinates the compilation of a quarterly Enterprise Risk Profile report, which provides the Senior Leadership Team and the Audit Committee with a perspective on CME Group's risk profile. Changes in the operational risk profile of CME Clearing Division are reported through the Head of Operations to senior management of CME Clearing Division, the CHRC, the ERM team and the Board. Any product-specific changes in operational risks are also reported to the IRSRC and the CDSRC, as appropriate. The ERM team is also responsible for reviewing any significant operational incidents.

The Board – through the Audit Committee – is tasked with approving, monitoring and reviewing the operational risk framework, policies and practices of the CME Group Exchanges and CME Clearing Division. The Audit Committee receives quarterly reports on CME's risk profile from the ERM team.

The Board's duties and responsibilities in relation to operational risk are to approve and review annually the enterprise-level framework for managing operational risk, including:

• satisfying itself that appropriate systems are in place to identify, evaluate and manage the significant risks faced by CME Clearing Division
• ensuring that staff throughout the enterprise are clear as to their own roles and responsibilities
• providing senior management with clear principles underlying the framework
• approving the policies developed by senior management or, if appropriate, the appropriate Risk Committee(s) and setting the risk appetites for the various operational risks
• receiving reports on operational risk exposure, including against risk appetites as part of its oversight function, so that it can ensure appropriate action is taken
• ensuring that the operational risk framework and procedures, across the enterprise, are audited effectively by independent, appropriately trained and competent staff.

As noted in CCP Standard 16.1, the implementation and functioning of the ORMF is subject to internal and external audit, and components of the Framework are reviewed annually, as part of the broader governance and oversight function undertaken by the Board and the Audit Committee (see CCP Standard 3.1).

Systems are reviewed before major changes, in accordance with CME's change management program. The program has policies covering configuration, change management and systems development. Broadly, these policies ensure:

• security impact analyses are performed for all system and configuration changes
• information security templates are completed, so that information security is considered at the beginning of system development projects
• quality assurance testing is carried out for all changes prior to implementation
• vulnerability scans are performed on all new standard configuration settings.

The Global Assurance Group reviews the implementation and effectiveness of change management policies and procedures. CME occasionally engages independent external firms to assess application development and change management practices.

Availability

CME documents operational reliability objectives through operational reliability goals and Service Level Agreements. CME's Service Level Agreement targets for its key systems (Front End Clearing and File Transfer Protocol server access) aim for system availability in excess of 95 per cent. CME Clearing Division's average system availability for the twelve months to June 2014 was 99.979 per cent, with no outages other than due to routine maintenance. In addition, there were no outages in July 2014.

Capacity

CME Group aims to have capacity in excess of twice the last peak load for all operational systems, although this is not a formal policy. The all-time peak was established during August 2011 and current capacity is at two times this peak. During 2013 and until end-July 2014, CME's clearing systems did not experience any capacity-related issues or outages. CME Group will be conducting stress testing on the capacity of its disaster recovery systems during 2014.

CME Group has systems in place to allow real-time monitoring of resource usage to help meet its reliability objectives. The CME Clearing Division IT Department includes a dedicated performance and reliability testing team to monitor capacity utilisation. Alerts are generated when messaging capacity thresholds are reached and these are manually escalated to clearing support staff. In addition, CME Group's IT staff produce daily reports for critical services (the Service Level Agreement targets reports), review all key performance metrics and service levels, and monitor trends in capacity use for the past 7 and 120 days. CME Group also produces a daily report on broader job execution/processing times, which helps to identify capacity trends in areas that are not explicitly monitored in the Service Level Agreement targets report. CME Group Senior Management are notified, according to CME Group's escalation protocol, when specified thresholds are, or are likely to be, exceeded.

CME Group also has processes for modelling operational demands in order to forecast required capacity. CME Group stress tests capacity on a weekly rotating basis, with critical systems grouped into four test groups (i.e. each system is tested on a four-weekly basis). Capacity testing is performed using an application that can run at speeds multiple times faster than in production. Results are reviewed weekly and any issues are escalated to operational and development teams as required. Capacity modelling is monitored and reviewed by Senior Management through quarterly capacity meetings, which review infrastructure performance and capacity utilisation trends. These meetings inform infrastructure enhancements and ensure operational reliability goals continue to be met.

CME Group maintains a change management program to ensure performance and resilience of core IT systems. The program has policies covering configuration, change management and systems development (see CCP Standard 16.2).

Physical and information security

CME Group's Business Continuity Management Policy seeks to mitigate risks from potential sources of physical vulnerability and threats. These arrangements are detailed below under CCP Standard 16.7. In establishing its Business Continuity Management Policy, CME Group has cooperated with a number of industry bodies, including the Futures Industry Association and the Securities Industry and Financial Markets Association, and US regulators, including the Department of Homeland Security and the Federal Emergency Management Agency. This cooperation seeks to ensure that CME's business continuity arrangements are consistent with relevant standards and are coordinated with relevant stakeholders. The Business Continuity Management Policy is aligned with the US NFPA 1600 standard and International ISO 22301 standard.

CME Group also maintains an information security strategy, with the objective of protecting the confidentiality, integrity and availability of CME Group's information. The strategy is implemented and overseen by the Group's Global Information Security Department. Information security requirements apply to all CME staff, contractors and consultants, as well as to outsourced services and third-party agreements. The Global Information Security Department provides training to CME staff and third-party users, and conducts risk-based compliance assessments; those who do not comply may be subject to disciplinary action. The Global Information Security Department is also responsible for ensuring information security is considered as part of project development, and for conducting risk-based security assessments.

CME's information technology policies include measures to reduce CME's exposure to cyber-attacks. CME has conducted third-party and internal testing of its ability to withstand cyber-risks.

Resourcing is determined at CME Group level. CME human resources are budgeted for by the Finance Department at least annually, based on input from operational divisions. When specific staffing needs arise, operational divisions are responsible for lodging requests with CME Group's Human Resources Department; this is set out in CME Group's Recruiting Resource Guide. CME Group has a dedicated group of recruiters to support hiring; recruiters actively seek qualified candidates to fill positions. CME provides training opportunities to staff. CME has an External Training Policies and Procedures document, which sets out how employees can access external IT, management and professional skills training. All CME staff must complete a security awareness training course at least annually and some departments require training specific to employees' roles.

CME Group also conducts a semiannual performance review process to ensure its staff have appropriate skills. This process identifies development goals and expectations for staff; off-cycle coaching discussions between staff and supervisors to help staff attain proficiency are also encouraged. Compensation and promotions are aligned with performance.

CME Group has a group-wide employee Code of Conduct, which addresses fraud prevention, including insider trading. All employees are held to the Code and breaches are handled according to the Management Employee Reporting and Escalation Policy. Violation of the Code can result in disciplinary sanctions, including termination.

CME Group prioritises business processes and systems to ensure that resources are available to perform critical functions in the event of a business disruption. CME Group seeks to manage key-person risk by identifying critical roles and developing plans for potential successors. These plans are reported to the Board annually. The Board and its Governance Committee directly oversee succession planning for the Chairman and the CEO, while the Board-level Strategic Steering Committee oversees succession planning for all other Senior Management roles.

To ensure that all key systems are operated securely and reliably in all circumstances, CME Group's disaster recovery plans also cover alternative work arrangements in the event of disrupted access to office locations. This includes relocation of staff required to support critical operations to backup locations, telecommuting and work-transfer (see CCP Standard 16.7). Additionally, clearing and settlement systems can be recovered and operated by out-of-region employees, which helps to ensure system recovery in less than two hours. This is tested semiannually to ensure operations can be resumed. CME also facilitates remote access for critical staff, to be used in the event of operational events such as pandemics or severe weather. These arrangements are tested at least annually.

Projects

CME Clearing Division is responsible for managing and prioritising risk- and operations-related projects, including ensuring adequate resource availability. CME's Enterprise Solutions Division is responsible for managing cross-functional projects related to business initiatives such as mergers and acquisitions, and new business areas. The Enterprise Solutions Division is responsible for ensuring projects are implemented on time, and within budget and scope. Part of the Division's role is to assess the resource requirements and supply throughout the project, to ensure disruption to business-as-usual processes is minimised.

Dependencies on participants and other FMIs

CME Clearing Division monitors the operational capability of its clearing participants on an ongoing basis. Participants must meet specified operational capacity requirements for clearing membership. These requirements are detailed below under CCP Standard 16.6. Participants are also encouraged to participate in CME Group's business continuity tests (see CCP Standard 16.8). As part of full-system failover, CME Group tests its clearing systems twice each year. One of CME Clearing Division's tests forms part of the Futures Industry Association's industry-wide clearing exercise, conducted each autumn.

Systems for communication with clearing participants, and operational support, are available 24/7. CME Group also ensures its risk management systems are available 24/7, and operates a Global Security Command Centre that is managed continuously by security analysts to monitor and respond to security threats.

CME has operational staff based in Chicago and London that work during Australian business hours. CME has indicated to the Bank that it is prepared to expand its operational staff in the region on an as-needed basis as its business develops. In the first instance, operational assistance to Australian participants would be provided from Chicago, with support also available from CME's London office. CME also maintains clearing staff in Singapore. CME has further indicated that it would work with Australian market participants to meet their training needs, including through in-person training.

CME provides clearing services to two third-party exchanges: DME and Eris. CME's clearing operations do not materially depend on either organisation. CME uses real-time monitoring to alert it to system issues related to all exchanges it clears, including these third-party exchanges. In addition, CME Clearing Division seeks to mitigate and control the risks it poses to third-party exchanges through Clearing and Services Agreements, which provide general standards of performance. Additionally, these partner exchanges participate in CME Group's autumn disaster recovery exercises detailed above, to ensure contingency connectivity and clearing services function adequately.

CME has arrangements with three partner clearinghouses: FICC and OCC for cross-margining arrangements; and SGX for the mutual offset program (see CCP Standard 19). CME has frequent contact with these clearinghouses to ensure business continuity plans, clear lines of communication and escalation procedures are in place. CME Clearing Division monitors network communications and data transfers between clearinghouses so as to be alerted on a timely basis should a disruption occur.

Dependencies on service providers

CME Group defines critical suppliers as suppliers that are needed to run core business functions and the failure of whose systems/services would threaten the viability of CME or its reputation. CME's contracts with its critical suppliers contain service level agreements and performance metrics to ensure the supplier meets relevant operational standards. Breaches of these agreements are escalated within CME and can result in financial penalties for suppliers. CME has indicated to the Bank that it plans to conduct regular assessments of the continuity and resilience practices of its critical suppliers.

CME has identified its critical suppliers as the third parties that provide network, telecommunications and power services, as well as providers of market information. CME relies on Bloomberg and Reuters for pricing information. In the event of a failure of Bloomberg or Reuters, the first option would be to obtain prices from an alternative provider. If this is not possible, CME Clearing Division would use the previous day's prices and apply a more conservative haircut. In addition, Rule 813 establishes CME's right to conduct settlements based on the information that is available. In the event of a SWIFT failure, CME Clearing Division would effect payment and securities movements to banks and custodians using facsimile.

Operational risks posed by utility providers are addressed in the context of CME Group's vendor resiliency program and through contracts with individual providers. CME Group data centres have redundant electrical feeds, backed up by generators. To mitigate the risks arising from extended outages of utility providers, CME Group maintains multiple data centres (see CCP Standard 16.7).

CME Clearing Division also relies on settlement banks and Fedwire to conduct its money settlements (see CCP Standard 9), and CLS as a third-party provider for foreign exchange settlement services (see CCP Standard 10).

Support to Australian participants

The Bank expects CME to provide adequate operational support arrangements to Australian participants, particularly during Australian market hours. As noted above, CME has informed the Bank that, in the first instance, operational assistance to Australian participants would be provided from Chicago, with support also available from CME's London office. CME will also work with Australian participants to meet their training needs. The Bank will monitor these arrangements to establish whether they appropriately meet Australian participants' needs and adequately mitigate operational risks associated with their participation.

CME Clearing Division requires all participants to have adequate operational capacity to:

• participate in default management procedures and auctions
• commit to real-time monitoring of positions
• conduct daily internal stress tests measure their exposures in real time
• determine and monitor customer suitability and creditworthiness.

CME Clearing Division monitors participants' compliance with operational requirements; a failure by a clearing participant to meet these requirements may result in sanctions or suspension.

Participants are also monitored by the Joint Audit Committee. The Joint Audit Committee is an industry body, assigned responsibility by the CFTC, to oversee all clearing participants of US CCPs. All US CCPs, including CME Clearing Division, are represented on the Joint Audit Committee. The Joint Audit Committee conducts examinations of clearing participants in order to reduce the compliance burden on clearing participants that clear with multiple CCPs, and to promote a uniform approach among CCPs. Joint Audit Committee reviews include examination of a clearing participant's adherence to applicable CCP rules, and adherence to regulations of the CFTC and other authorities. Additionally, the Joint Audit Committee undertakes risk-based examinations of participants, including operational requirements like recordkeeping and reporting. The CFTC requires risk-based examinations to be performed every 9 to 18 months. The CFTC reviews a sample of the examinations every quarter, and may conduct its own examinations.

The CME Rulebook requires all clearing participants to have written disaster recovery and business continuity policies and procedures in place. These requirements are designed to ensure that clearing participants are able to perform basic operational functions, key to CME Clearing Division's own risk mitigation, even during significant disruptions. Requirements include:

• procedures to port customer accounts to another clearing participant with minimal disruption to CME Clearing Division
• periodic testing of disaster recovery and business continuity plans
• mirroring of critical systems at backup sites
• periodic backup of critical information
• a list of key contacts, provided to CME Clearing Division
• any other requirement CME Clearing Division prescribes.

Contingency arrangements

CME Group has business continuity and disaster recovery arrangements, encompassing recovery plans for critical services. These arrangements are documented in the CME Group Business Continuity Management Policy. The Policy is designed to ensure CME Group and CME Clearing Division can respond to an incident in a way that mitigates potential impacts and protects participants, stakeholders and CME.

CME Group's Business Continuity Management Policy establishes a two-hour recovery time objective for clearing and settlement systems. This recovery time objective was introduced at the end of 2013, replacing the previous four-hour recovery time objective, and applies once a disaster has been declared. The two-hour recovery time objective does not apply to ‘non-essential to clearing’ applications.

CME Group is moving to a two-data-centre model, with its production data centre in the Chicagoland area and its disaster recovery facility in the New York/New Jersey area. Both data centres rely on separate infrastructure. The New York/New Jersey data centre houses recovery facilities for all critical systems, but with lower capacity than the Chicago facility. All critical CCP functions are supported by staff in different locations, who can be assigned where necessary during a crisis.

To ensure data integrity and availability, CME mirrors production systems in real time and supplements these with nightly and weekly backups of data, systems and configurations. Critical operational systems exist in dual environments at different data centres where the same applications, servers and databases are available. These environments are replicated throughout the day to ensure that data can be easily recovered.

Incident management

CME Group's Business Continuity Management Policy establishes a command structure and assigns responsibilities in a crisis. Should an event occur that falls within the parameters of a ‘Business Continuity or Disaster Recovery event’, the relevant business area would notify the Crisis Management Team (CMT) Commander. If an outage was due to staff or a site being unavailable, it would be considered a Business Continuity event (if either critical or non-critical functions were impacted), while a catastrophic event at the production data centre would be classified as a Disaster Recovery event. The CMT Commander would assess whether to continue to monitor the situation, or whether to declare a crisis and mobilise the CMT.

Should the CMT Commander declare a crisis, four teams would be set up to coordinate CME's response. These teams are:

• CMT: composed of CME Group Senior Management and provides overall direction and governance during a crisis. The CMT Commander, who is the Senior Managing Director of Global Operations, has first responsibility for crisis management and is notified of any event that could potentially damage CME Group's operations, financial standing or reputation. Backup CMT Commander roles are assigned to the Chief Information Officer and the Chief Operating Officer. All three individuals are members of the CME Group Senior Leadership Team. The CMT Commander assesses the impact and decides whether to mobilise the CMT. If the situation requires a system failover, the technology representative on the CMT would make the recommendation to the CMT Commander, who gives final authorisation for failover procedures.
• Logistics Team: supports crisis management activities of the CMT by acting as the coordination and communications hub. The team comprises representatives from departments across CME, including CME Clearing Division and all other CME Group divisions.
• Business Continuity Teams: responsible for responding once the CMT makes a declaration and for ensuring CME Group's priorities are met during the recovery.
• Regional Incident Response Teams: respond to local issues at each CME Group office location. These teams are overseen by the CMT Commander.

CME Group's Business Continuity Management Policy ensures planning occurs by location, to ensure location-specific impacts and events are communicated to the CMT Commander and are handled appropriately. The relevant Regional Incident Response Team is responsible for implementing any local actions.

The Business Continuity Management Policy includes a plan for crisis communications. This plan is overseen by the Corporate Communications member on the CMT and is carried out by the Logistics Team. The plan details procedures for internal and external communications, including to relevant regulators, stakeholders, participants and the public.

Testing

CME Clearing Division conducts monthly, internal failover tests. These tests involve a failover of critical clearing systems to the disaster recovery facilities. All critical applications and business continuity plans are tested at minimum twice per year; the results of business continuity tests are subject to internal audit. As noted in CCP Standard 16.5, CME Group participates in the annual industry-wide clearing business continuity testing, run by the Futures Industry Association.

CME Clearing Division has conducted a number of recent business continuity tests, including a test of the New York/New Jersey backup infrastructure in late November 2013 and in March 2014.

CME Clearing Division's biannual contingency tests include scenarios in which participants are forced to failover to their backup environment, which ensures participants' backup facilities can establish and maintain connection with CME Clearing Division. Currently, these exercises are not mandatory, but are strongly encouraged.

As noted in CCP Standard 16.5, CME Clearing Division participates in industry-wide clearing business continuity testing, run by the Futures Industry Association. During 2013, 44 of CME's clearing participants also participated in this test, representing around 90 per cent of CME's clearing volume.

CME Clearing Division does not outsource any critical functions. However, CME relies on Bloomberg and Reuters for pricing information and SWIFT for issuing banking instructions – CME Clearing Division has backup plans in case these services are unavailable (see CCP Standard 16.5). CME Clearing Division also relies on Fedwire to ensure payment of settlement obligations across settlement banks.

CME Clearing Division's ORMF applies to risks arising from third parties as well as internal risks. CME Clearing Division's testing programs apply to relevant outsourced services and facilities; agreements with service providers must include information security requirements, arrangements for ensuring continuity of service, arrangements for incident management and for change management.

CME Clearing Division provides clearing services to two third-party exchanges: DME and Eris. CME's clearing operations do not materially depend on either organisation.

CME also provides CME Clearing Europe with services, in Clearing IT, Disaster Recovery and Business Continuity, Clearing Operations, Risk Management, Audit and Membership, Banking and Settlement, Market Regulation, Group Internal Audit and General Services. Although CME Clearing Europe maintains its own operational staff and decision-making responsibility for risk management and overall governance, many processes and systems are shared so that resources may be allocated where required.

CME Clearing Division does not outsource any critical functions.

As CME is an overseas CS facility, in a crisis scenario, crisis management actions would be expected to be led by CME's home regulator, the CFTC.

CME has notification requirements with the CFTC when business continuity plans or procedures are activated. CME is also subjected to event-specific reporting requirements in relation to certain hardware or software failures.

CME Clearing Division expects to finalise its RWP by the end of 2014.