Managing Risk

Overview

Our management governance structure enables us to manage all major aspects of our business through an integrated planning and review process that includes strategic, financial, associate, customer and risk planning. We derive much of our revenue from managing risk from customer transactions for profit. In addition to qualitative factors, we utilize quantitative measures to optimize risk and reward trade offs in order to achieve growth targets and financial objectives while reducing the variability of earnings and minimizing unexpected losses. Risk metrics that allow us to measure performance include economic capital targets, SVA targets and corporate risk limits. By allocating economic capital to a business unit, we effectively define that unit's ability to take on risk. Review and approval of business plans incorporates approval of economic capital allocation, and economic capital usage is monitored through financial and risk reporting. Country, trading, asset allocation and other limits supplement the allocation of economic capital. These limits are based on an analysis of risk and reward in each business unit and management is responsible for tracking and reporting performance measurements as well as any exceptions to guidelines or limits. Our risk management process continually evaluates risk and appropriate metrics needed to measure it.

Our business exposes us to the following major risks: strategic, liquidity, credit, market and operational. Strategic Risk is the risk that adverse business decisions, ineffective or inappropriate business plans or failure to respond to changes in the competitive environment, business cycles, customer preferences, product obsolescence, execution and/or other intrinsic risks of business will impact our ability to meet our objectives. Liquidity risk is the inability to accommodate liability maturities and deposit withdrawals, fund asset growth and meet contractual obligations through unconstrained access to funding at reasonable market rates. Credit risk is the risk of loss arising from a borrower's or counterparty's inability to meet its obligations. Market risk is the risk that values of assets and liabilities or revenues will be adversely affected by changes in market conditions, such as interest rate movements. Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or external events. The following sections, Strategic Risk Management, Liquidity Risk and Capital Management, Credit Risk Management, Market Risk Management and Operational Risk Management, address in more detail the specific procedures, measures and analyses of the major categories of risk that we manage.

Risk Management Processes and Methods

We have established control processes and use various methods to align risk-taking and risk management throughout our organization. These control processes and methods are designed around "three lines of defense": lines of business; enterprise functions (including Risk Management, Compliance, Finance, Human Resources and Legal); and Corporate Audit.

The lines of business are the first line of defense and are responsible for identifying, quantifying, mitigating and managing all risks within their lines of business, while certain enterprise-wide risks are managed centrally. For example, except for trading-related business activities, interest rate risk associated with our business activities is managed in the Corporate Treasury and Corporate Investment functions. Line of business management makes and executes the business plan and is closest to the changing nature of risks and, therefore, we believe is best able to take actions to manage and mitigate those risks. Our lines of business prepare periodic self-assessment reports to identify the status of risk issues, including mitigation plans, if appropriate. These reports roll up to executive management to ensure appropriate risk management and oversight, and to identify enterprise-wide issues. Our management processes, structures and policies aid us in complying with laws and regulations and provide clear lines for decision-making and accountability. Wherever practical, we attempt to house decision-making authority as close to the transaction as possible while retaining supervisory control functions from both in and outside of the lines of business.

The key elements of the second line of defense are Risk Management, Compliance, Finance, Global Technology and Operations, Human Resources, and Legal functions. These groups are independent of the lines of businesses and are organized on both a line of business and enterprise-wide basis. For example, for Risk Management, a senior risk executive is assigned to each of the lines of business and is responsible for the oversight of all the risks associated with that line of business. Enterprise-level risk executives have responsibility to develop and implement polices and practices to assess and manage enterprise-wide credit, market and operational risks.

Corporate Audit, the third line of defense, provides an independent assessment of our management and internal control systems. Corporate Audit activities are designed to provide reasonable assurance that resources are adequately protected; significant financial, managerial and operating information is materially complete, accurate and reliable; and employees' actions are in compliance with corporate policies, standards, procedures, and applicable laws and regulations.

We use various methods to manage risks at the line of business levels and corporate-wide. Examples of these methods include planning and forecasting, risk committees and forums, limits, models, and hedging strategies. Planning and forecasting facilitates analysis of actual versus planned results and provides an indication of unanticipated risk levels. Generally, risk committees and forums are composed of lines of business, risk management, treasury, compliance, legal and finance personnel, among others, who actively monitor performance against plan, limits, potential issues, and introduction of new products. Limits, the amount of exposure that may be taken in a product, relationship, region or industry, seek to align corporate-wide risk goals with those of each line of business and are part of our overall risk management process to help reduce the volatility of market, credit and operational losses. Models are used to estimate market value and Net Interest Income sensitivity, and to estimate expected and unexpected losses for each product and line of business, where appropriate. Hedging strategies are used to manage the risk of borrower or counterparty concentration risk and to manage market risk in the portfolio.

The formal processes used to manage risk represent only one portion of our overall risk management process. Corporate culture and the actions of our associates are also critical to effective risk management. Through our Code of Ethics, we set a high standard for our associates. The Code of Ethics provides a framework for all of our associates to conduct themselves with the highest integrity in the delivery of our products or services to our customers. We instill a risk-conscious culture through communications, training, policies, procedures, and organizational roles and responsibilities. Additionally, we continue to strengthen the linkage between the associate performance management process and individual compensation to encourage associates to work toward corporate-wide risk goals.

Oversight

The Board oversees the risk management of the Corporation through its committees, management committees and the Chief Executive Officer. The Board's Audit Committee monitors (1) the effectiveness of our internal controls, (2) the integrity of our Consolidated Financial Statements and (3) compliance with legal and regulatory requirements. In addition, the Audit Committee oversees the internal audit function and the independent registered public accountant. The Board's Asset Quality Committee oversees credit risks and related topics that may impact our assets and earnings. The Finance Committee, a management committee, oversees the development and performance of the policies and strategies for managing the strategic, credit, market, and operational risks to our earnings and capital. The Asset Liability Committee (ALCO), a subcommittee of the Finance Committee, oversees our policies and processes designed to assure sound market risk and balance sheet management. The Compliance and Operational Risk Committee, a subcommittee of the Finance Committee, oversees our policies and processes designed to assure sound operational and compliance risk management. The Credit Risk Committee (CRC), a subcommittee of the Finance Committee, oversees and approves our adherence to sound credit risk management policies and practices. Certain CRC approvals are subject to the oversight of the Board's Asset Quality Committee. The Risk and Capital Committee, a management committee, reviews our corporate strategies and objectives, evaluates business performance, and reviews business plans including economic capital allocations to the Corporation and business lines. Management continues to direct corporate-wide efforts to address the Basel Committee on Banking Supervision's new risk-based capital standards (Basel II). The Audit Committee and Finance Committee oversee management's plans to comply with Basel II. For additional information, see Basel II and Note 15.