2005 Summary Annual Report: Form 10-K: Managing Risk

Overview

Our management governance structure enables us to manage all major aspects of our business through an integrated planning and review process that includes strategic, financial, associate, customer and risk planning. We derive much of our revenue from managing risk from customer transactions for profit. In addition to qualitative factors, we utilize quantitative measures to optimize risk and reward trade offs in order to achieve growth targets and financial objectives while reducing the variability of earnings and minimizing unexpected losses. Risk metrics that allow us to measure performance include economic capital targets, SVA targets and corporate risk limits. By allocating capital to a business unit, we effectively define that unit’s ability to take on risk. Country, trading, asset allocation and other limits supplement the allocation of economic capital. These limits are based on an analysis of risk and reward in each business unit and management is responsible for tracking and reporting performance measurements as well as any exceptions to guidelines or limits. Our risk management process continually evaluates risk and appropriate metrics needed to measure it. Our business exposes us to the following major risks: strategic, liquidity, credit, market and operational.

Strategic Risk is the risk that adverse business decisions, ineffective or inappropriate business plans or failure to respond to changes in the competitive environment, business cycles, customer preferences, product obsolescence, execution and/or other intrinsic risks of business will impact our ability to meet our objectives. Liquidity risk is the inability to accommodate liability maturities and deposit withdrawals, fund asset growth and meet contractual obligations through unconstrained access to funding at reasonable market rates. Credit risk is the risk of loss arising from a borrower’s or counterparty’s inability to meet its obligations. Market risk is the risk that values of assets and liabilities or revenues will be adversely affected by changes in market conditions, such as interest rate movements. Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or external events.

Risk Management Processes and Methods

We have established control processes and use various methods to align risk-taking and risk management throughout our organization. These control processes and methods are designed around “three lines of defense”: lines of business; support units (including Risk Management, Compliance, Finance, Human Resources and Legal); and Corporate Audit.

Management is responsible for identifying, quantifying, mitigating and managing all risks within their lines of business, while certain enterprise-wide risks are managed centrally. For example, except for trading-related business activities, interest rate risk associated with our business activities is managed in the Corporate Treasury and Corporate Investment functions. Line of business management makes and executes the business plan and is closest to the changing nature of risks and, therefore, we believe is best able to take actions to manage and mitigate those risks. Our lines of business prepare quarterly self-assessment reports to identify the status of risk issues, including mitigation plans, if appropriate. These reports roll up to executive management to ensure appropriate risk management and oversight, and to identify enterprise-wide issues. Our management processes, structures and policies aid us in complying with laws and regulations and provide clear lines for decision-making and accountability. Wherever practical, we attempt to house decision-making authority as close to the transaction as possible while retaining supervisory control functions from both in and outside of the lines of business.

The Risk Management organization translates approved business plans into approved limits, approves requests for changes to those limits, approves transactions as appropriate, and works closely with lines of business to establish and monitor risk parameters. Risk Management has assigned a Risk Executive to each of the lines of business who is responsible for the oversight of all risks associated with that line of business. In addition, Risk Management has assigned Risk Executives to monitor enterprise-wide credit, market and operational risks.

Corporate Audit provides an independent assessment of our management and internal control systems. Corporate Audit activities are designed to provide reasonable assurance that resources are adequately protected; significant financial, managerial and operating information is materially complete, accurate and reliable; and employees’ actions are in compliance with corporate policies, standards, procedures, and applicable laws and regulations.

We use various methods to manage risks at the line of business levels and corporate-wide. Examples of these methods include planning and forecasting, risk committees and forums, limits, models, and hedging strategies. Planning and forecasting facilitates analysis of actual versus planned results and provides an indication of unanticipated risk levels. Generally, risk committees and forums are comprised of lines of business, risk management, treasury, compliance, legal and finance personnel, among others, who actively monitor performance against plan, limits, potential issues, and introduction of new products. Limits, the amount of exposure that may be taken in a product, relationship, region or industry, seek to align risk goals with those of each line of business and are part of our overall risk management process to help reduce the volatility of market, credit and operational losses. Models are used to estimate market value and net interest income sensitivity, and to estimate expected and unexpected losses for each product and line of business, where appropriate. Hedging strategies are used to manage the risk of borrower or counterparty concentration risk and to manage market risk in the portfolio.

The formal processes used to manage risk represent only one portion of our overall risk management process. Corporate culture and the actions of our associates are also critical to effective risk management. Through our Code of Ethics, we set a high standard for our associates. The Code of Ethics provides a framework for all of our associates to conduct themselves with the highest integrity in the delivery of our products or services to our customers. We instill a risk-conscious culture through communications, training, policies, procedures, and organizational roles and responsibilities. Additionally, we continue to strengthen the linkage between the associate performance management process and individual compensation to encourage associates to work toward corporate-wide risk goals.

Oversight

The Board evaluates risk through the Chief Executive Officer (CEO) and three committees. The Finance Committee, a committee appointed by the Board, establishes policies and strategies for managing the strategic, liquidity, credit, market and operational risks to corporate earnings and capital. The Asset Quality Committee, a Board committee, reviews credit and selected market risks; and the Audit Committee, a Board committee, provides direct oversight of the corporate audit function and the independent registered public accounting firm. Additionally, senior management oversight of our risk-taking and risk management activities is conducted through four senior management committees: the Risk and Capital Committee (RCC), the Asset and Liability Committee (ALCO), the Compliance and Operational Risk Committee (CORC) and the Credit Risk Committee (CRC). The RCC, a senior management committee, reviews corporate strategies and corporate objectives, evaluates business performance, and reviews business plans, including capital allocation, for the Corporation and for major businesses. The ALCO, a subcommittee of the Finance Committee, provides oversight for Corporate Treasury’s and Corporate Investment’s process of managing interest rate risk, otherwise known as the ALM process, and reviews ALM and credit hedging activities. ALCO also approves limits for trading activities and manages the risk of loss of value and related Net Interest Income of our trading activities. The CORC, a subcommittee of the Finance Committee, provides oversight and consistent communication of operational and compliance issues. The CRC, a subcommittee of the Finance Committee, establishes corporate credit practices and limits, including industry and country concentration limits and approval requirements. The CRC also reviews asset quality results versus plan, portfolio management, and the adequacy of the allowance for credit losses. Each committee and subcommittee has the ability to delegate authority to officers of subcommittees to manage specific risks.

Management continues to direct corporate-wide efforts to address the Basel Committee on Banking Supervision’s new risk-based capital standards (Basel II). The Finance Committee and the Audit Committee provide oversight of management’s plans including the Corporation’s preparedness and compliance with Basel II. For additional information, see Basel II and Note 15 of the Consolidated Financial Statements.

The following sections, Strategic Risk Management, Liquidity Risk and Capital Management, Credit Risk Management, Market Risk Management and Operational Risk Management, address in more detail the specific procedures, measures and analyses of the major categories of risk that we manage.