Operational Risk Management

A Proposal for Success

Mission Statement

We will support management’s goals and objectives by providing

independent monitoring and assessment of management’s key

business processes to ensure all business risks are anticipated,

recognized and appropriately addressed before they adversely affect

the Company. We will assess, monitor and manage risks in a manner

that integrates with management’s strategic objectives and the

corporate decision making process. We will help management

effectively and efficiently deploy resources by striking balance between

growth, returns and related risk.

Objectives

The primary objectives of the Operational Risk Program are to:• Act decisively to identify and manage key risks.• Enable an appropriate risk/reward balance in operational risk

decisions.• Delivery transparent reporting of key risks to enable informed

decisions.• Drive accountability and exercise appropriate authority.• Ensure consistency through a common framework.• Maintain independent oversight of business performance.• Transfer ownership of risks and controls to the business units.

Risk Framework

The operational risk framework consists of four fundamental elements

designed to provide a consistent approach to managing risk across the

Company. This framework is intended to correspond with the

framework components of COSO. These framework components are

Event Identification and Assessment, Risk Response and Control

Activities, Monitoring and Reporting.

Identify and Assess

Each business unit should understand and document key operational

risks to the organization, complete periodic self assessments of the

risk environment to confirm identified key risks and identify new or

emerging risks and prioritize those risks to ensure focus on risks that

present frequent risk to the business.• A documented risk profile is in place and updated annually.• Risk and Control self assessments are completed periodically.• Scenario analysis workshops have appropriate representation and

support from each business unit to enable identification of emerging risks. Any gaps identified will be documented and addressed.

• Operational loss collection is performed per the Operational Incident Policy to identify control weaknesses or areas for improvement.

Risk Response and Control

Each business unit will document mitigation of key operational risks,

including key controls, risk transfer and risk acceptance.• Risk tolerance levels should be established to aid in the decisioning

of mitigation activities.• Mitigation actions for key risks identified in the annual risk

assessment are documented. Key risks may be mitigated using controls, risk transfer or risk acceptance.

• Risk acceptance is documented with the following information:– Description of risk.– Date of decision to accept the risk.– Officers who agreed to accept the risk and the date of the next review of the

decision.– Policies and procedures are in place and include controls that mitigate risks.– Risk requirements are included in annual employee goals and training.

Monitor

Each business unit will develop metrics to facilitate monitoring of the

control environment. Risks that have been accepted will be reviewed

periodically to ensure that acceptance remains the appropriate

mitigation approach.• Businesses develop key risk metrics to monitor performance of key

controls and supplement enterprise metrics. Key risks and controls are monitored to ensure they continue to be effective in managing and reducing risk.

• Mitigation and action plans are monitored by the businesses to ensure plan activities are completed.

• Each business has a process to escalate operational risk issues identified through monitoring.

Report

Each business unit will report metrics and risk assessment results to

management and risk governance bodies.• Key risks, mitigation actions and monitoring results are reported to

the appropriate levels of management timely• Business issues are escalated to line of business governance in a

timely manner and line of business issues that could have an enterprise impact will be escalated to senior management timely.