UBS presentation Key remediation actions Nov 17, 2014 Group-wide actions • Integration of Compliance and Operational Risk Control We have integrated Compliance and Operational Risk Control. The key benefits of the integration will be: − Achieving a stronger defense mechanism based on preventative measures, thereby reducing the likelihood and impact of a significant event. This will be achieved through combining skills across Risk, Compliance and Control and realigning activities appropriately across 1st & 2nd line of defense. − Becoming forward looking to identify and action potential significant risks and issues early. This will be achieved by focusing the view of consequential risk management on forward looking risk identification and industrializing the use of data analysis underpinned by technology. − Establishing one firm-wide consistent Risk & Control Framework to enable strengthened controls to be efficiently delivered. This will include the streamlining and enhancing of risk control assessments and operating seamless 'top down' and 'bottom up' risk & control assessment continuum. − Establishing clear accountability & prioritization, including the definition of clear roles and responsibilities for consequential risk management to mitigate execution risks. • Increased Monitoring and Surveillance We continue to enhance overall M&S capabilities to identify and detect improper business and employee practices. This works is focused across six work streams: • 1) Strengthening cross border monitoring, 2) Enhanced employee intelligence capabilities which consolidates multiple data points of individuals, 3) Electronic communications monitoring, 4) Enhanced monitoring of audio communications relating to benchmark submissions, 5) IB trade surveillance, 6) Unauthorised trading detection in the IB. • Enhanced whistleblowing process − We have enhanced the whistleblowing process, re-issued the Whistleblowing Protection policy for Employees, and increased communications on the program. − The case management process has been optimized to reduce the time for cases to be reviewed and closed. • Personal Account Dealing − The Personal Account Dealing policy has been revised to ensure that consistent, enhanced global standards are put in place and generally only UBS accounts are allowed for UBS employees to monitor own trading activity 1 Specific Investment Bank actions • Policy and Conduct: − We have significantly updated the Fixed Income, Rates and Credit Handbook (Code of Conduct) and published and circulated the new Handbook to employees. Enhanced and new sections cover communication, behaviour, and market and client conduct. − We have completed mandatory conduct training for all IB Sales and Trading staff with over 2,600 staff having attended the live sessions. The new conduct training now forms part of the induction for all new IB Sales and Trading staff. − We have banned the use of personal mobile devices on trading floors globally. − We have been industry leaders in setting new procedures to ensure appropriate usage of chat rooms as a form of communication, including closure of chat rooms (ca 50%), banning of social chat and implementation of new policy including room owners, moderators and guidance on usage. • Systems and Organisation: ⁻ We have consolidated analytical surveillance activities into a single C&ORC Function to enhance our controls and to integrate into our trade surveillance infrastructure. ⁻ We have increased staffing levels to enhance management oversight. ⁻ We have further strengthened our infrastructure to ensure segregation of duties to avoid any conflicts of interest. • Process and Control: − We are continuing to roll out a new Employee Conduct Risk dashboard regionally. − We have issued guidance on completion of Trade Entry Error reports to ensure errors are reviewed and escalated in a timely manner. − We are introducing new procedures to ensure enhanced regular review of key front-to-back controls. − We have defined, and are in the process of implementing, a new set of metrics to enhance our management information in relation to our usage of third-party brokers • In control in business campaign (launched in July 2012) − Group wide awareness campaign highlighting the importance of risk control and the responsibility of the individual as a risk manager. 2 Lessons Learned: Improving Control Environment and Culture Considering the lessons learned from the financial crisis and other internal and external events, UBS has taken a range of measures to improve the firm's risk management and control processes and drive the right behaviors to protect the firm's reputation and achieve the strategic goals. 2008 - 2011 2012 -> ongoing 2013 -> ongoing 2014 -> ongoing • Refresh of the code of business conduct and ethics • Introduction of Group Significant Operational Risk Issues (GSORIs) • Creation of the Master List of Significant Issues (MLSI) • Risk Effectiveness program • Enhanced remuneration framework – introduction of deferred compensation and forfeiture of compensation • Enhanced Operational Risk Framework (ORF2) • Master List of Significant Issues Managing Director ownership and independent assurance • Strengthening front-to-back control accountabilities through the Chief Operating Officers • Investment Bank Unauthorized Trading Accident remediation including behavioral program • Risk embedded in performance and compensation • Enhanced Supervision • In Control In Business communication campaign • Performance Management assessment and promotions • Enhanced Incidents and Consequences process • Independent management testing of key controls • Development of an intelligence capability – enhanced monitoring • Libor Lessons learned initiatives on the 2nd line of defense • Enhanced investigation framework • Whistleblowing communication campaign • Comprehensive program on leadership and behaviors • Market Conduct Enhancement Program • Enhancements to the whistleblowing process • Integration of Compliance and Operational Risk Control • Conduct Risk • FX Spot Review and associated controls and governance remediation Control Remediation Increasing Complementary Focus on Behavioral Aspects Strengthening the culture takes time – programs are in progress 3 Lessons Learned: Improving Control Environment and Culture Measures and programs CONTROLS • Enhanced Operational Risk Framework (ORF2)     Complementing current Operational Risk assessments with sub divisional Front to Back risk assessments Key controls continue to be embedded into the Chief Operating Officer dashboards and run the bank operations Control assessment process embedded within strategic change programme design phase Positive regulatory assessment received of Enhanced Operational Risk Framework implementation  Independent management testing of key controls   Introduction of independent management testing of key controls and full testing of relevant population of bank Complementary to the internal control testing and provides an additional level of assurance  Commenced development of an 'intelligence capability' – enhanced monitoring  The 'intelligence capability' contains 3 elements:  Development and implementation of a capability to link disparate information from multiple sources at employee level  Enhancements to electronic communications monitoring and discovery capabilities  Enhancement of alert generation capabilities  Libor Lessons learned initiatives on the 2nd line of defense   The assessment of current measures in place – ensuring that they are completed and embedded in the firm Clarification of control expectations for the 2nd line of defense for conduct, regulatory and reputations risks  FX Controls and Governance Review  •  Investment Bank 'Look Across' Review  Group Internal Audit and Operational Risk Control review of the Front to Back control and governance aspects of the FX spot business including - FX Business Profile and Organizational set up - Front Office supervision / Performance Review - Control Function Processes In addition the applicability of FX remediation actions against other Investment Bank Business lines is conducted to determine where control enhancements can be leveraged to mitigate against threats to the wider organisation. A firm wide risk assessment, the "Look Across Process" was conducted in Q4 2013 to test the hypothesis that markets and businesses which share some of the same attributes common to LIBOR and FOREX events could also be susceptible to market misconduct 4 Lessons Learned: Improving Control Environment and Culture Measures and programs    PROCESS • Introduction of Group Significant Operational Risk Issues (GSORIs) Creation of the Master List of Significant Issues (MLSI) Master List of Significant Issues Managing Director ownership and independent assurance Strengthening front-to-back control accountabilities through the Chief Operating Officers      Identification of the key operational risks for the firm and establishment of effective remediation Clear ownership with individual Group Executive Board members Common rating scale in place across the firm Level 4 and 5 issues assigned to MDs and included in Performance Management objectives Independent assurance of associated remediation by GIA for all risk issues and actions impacting the firm   Revised mandate for Chief Operating Officers to re-emphasize the Front to Back control responsibility Chief Operating Officers dashboards introduced to provide visibility of the Front to Back control environment  Investment Bank Unauthorized Trading Accident remediation including behavioral program   Completion of complex and broad remediation program on time Included a behavioral program led by the Investment Bank Executive Committee  Risk and Behaviors embedded in performance and compensation  Process to embed control function feedback into the performance assessment and compensation processes  Enhanced Investigations framework  Common approach and governance for level 4 and 5 investigations  Conduct Risk  Develop an approach to identification, assessment and reporting of Conduct Risk across the firm 5 Lessons Learned: Improving Control Environment and Culture Measures and programs Refresh of the Code of business conduct and ethics      Enhanced supervision       Whistleblowing CULTURE  Communications programs In control In Business    The Code reflects principles and practices that are binding for all of UBS's employees and Board members to follow unreservedly It is available on the intranet in 10 languages Online training is also available Implemented training activities to ensure that it is properly understood and correctly applied Critical initiative to set and embed higher expectations of supervisors across all functions. Group Executive Board approved the "Principles of Good Supervision" (2H12) and self assessment completed by each function Online mandatory training modules introduced for both supervisors and non-supervisors "In Control In Business" (ICIB) is a Group-wide internal communications campaign designed to help establish a stronger risk culture across the firm "In Control In Business" campaign was launched in June 2012 "Principles of Good Supervision" were published and reinforced through "In Control In Business" campaign   Whistleblowing policy has been reviewed to confirm it adequately covers ethical matters A campaign around whistleblowing procedures was launched by the Chairman and Group CEO to encourage staff to raise concerns  Comprehensive program on leadership and behaviors    Program set-up in 1Q13 Tone from the top – engagement and reinforcement actions are being implemented across the firm Key behaviors defined and rolled out to the firm. All 60000 employees touched.  Performance Management assessment and promotions     Key behaviors embedded in the Performance Management/comp process Enhanced Incident and Consequences process Promotion proposals assessed against behavior / disciplinary actions Senior leadership using "Master List of Significant Issues" assurance work as a factor in compensation decisions  Compliance and Operational Risk Control Integration  Move of Compliance to Risk Control and integration with Operational Risk Control to consolidate the second line of defence for consequential risk Positioning the Compliance organization as a control function within the firm  6