American Express 2013 Annual Report Download - page 45

Download and view the complete annual report

Please find page 45 of the 2013 American Express annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 114

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114

AMERICAN EXPRESS COMPANY
2013 FINANCIAL REVIEW
RISK MANAGEMENT
GOVERNANCE
The Company uses its comprehensive Enterprise-wide Risk
Management (ERM) program to measure, aggregate, monitor, and
manage risks. The ERM program is designed to enable the Board of
Directors and management to assess the effectiveness of risk
management capabilities, policies, processes and controls. It also
contributes to the risk-adjusted performance evaluation of the
Company’s businesses and business leaders. The implementation and
execution of the ERM program is headed by the Company’s Chief Risk
Officer.
Risk management and key risks identified by management are
overseen by the Company’s Board of Directors and three of its
committees: the Risk Committee, the Audit and Compliance
Committee, and the Compensation and Benefits Committee. Each of
these committees consists entirely of independent directors and
provides regular reports to the Board of Directors regarding matters
reviewed at the committee level. In addition to the risks under the
purview of a particular committee, the Board of Directors monitors the
“tone at the top” and risk culture of the Company, oversees strategic
risk, and reviews specific and significant risks facing the Company from
time to time. These Committees meet regularly in private sessions with
the Company’s Chief Risk Officer, the Chief Compliance Officer, the
General Auditor and other senior management with regard to the
Company’s risk management processes, controls and capabilities.
The Risk Committee of the Company’s Board of Directors provides
risk oversight on risk policies and the risk management performance of
the Company. The Risk Committee approves key risk management
policies and monitors the Company’s risk culture, talent, capabilities
and risk outcomes. In particular, it approves the Company’s ERM policy
along with its sub-policies governing individual credit risk, institutional
credit risk, market risk, liquidity risk, operational risk, reputational risk,
and asset/liability risk, as well as the launch of new products and
services. The ERM policy sets the Company’s risk appetite and defines
governance over risk taking and the risk monitoring processes across the
Company. Risk appetite defines the overall risk levels the Company is
willing to accept while operating in full compliance with regulatory and
legal requirements. In addition, it establishes principles for risk taking in
the aggregate and for each risk type, and is supported by a
comprehensive system of risk limits, escalation triggers and controls
designed to ensure that the risks remain within the defined risk appetite
boundaries. Furthermore, the policy defines risk management roles and
responsibilities.
The Risk Committee also regularly reviews the credit risk profile of
the Company, risk trends and risk management capabilities. The Risk
Committee receives regular updates from the Company’s Global Risk
Oversight team, which reports to the Chief Risk Officer, on key risks
affecting the Company, including transaction and exposure level
approvals driven by policy-based risk escalations and risk limits.
The Risk Committee reviews enterprise-wide operational risk trends,
events and capabilities, with an emphasis on compliance, fraud, legal,
process or control failures, information security, and privacy impacts, as
well as trends in market, funding, liquidity and reputational risk. The
Risk Committee also provides risk oversight of the Company’s
compliance with Basel capital and liquidity standards and its Internal
Capital Adequacy Assessment Process, including its Comprehensive
Capital and Review (CCAR) submissions.
As it relates to risk management, the Audit and Compliance
Committee of the Company’s Board of Directors approves the
Company’s compliance policies and compliance risk tolerance
statement, which reinforces the importance of compliance risk
management at the Company. In addition, the Audit and Compliance
Committee reviews the effectiveness of the Company’s Corporate-wide
Compliance Risk Management Program. More broadly, the Committee
is responsible for assisting the Board of Directors in its oversight
responsibilities relating to the integrity of the Company’s financial
statements and financial reporting process; internal and external
auditing, including the qualifications and independence of the
independent registered public accounting firm and the performance of
the Company’s internal audit services function; and the integrity of the
Company’s systems of internal accounting and financial controls.
The Compensation and Benefits Committee of the Company’s Board
of Directors works with the Chief Risk Officer to ensure the
compensation programs covering risk-taking employees, business units,
and the Company overall appropriately balance risk with incentives
such that business performance is achieved without taking imprudent or
uneconomic risks. The Company’s Chief Risk Officer is actively
involved in the goal-setting process, reviews the current and forward-
looking risk profiles of each business unit, and provides input into
performance evaluation. The Chief Risk Officer meets with the
Compensation and Benefits Committee and attests that performance
goals and actual results have been achieved without taking imprudent
risks. The Compensation and Benefits Committee uses a risk-balanced
incentive compensation framework to decide on the Company’s bonus
pools and the compensation of senior executives.
There are several internal management committees, including the
Enterprise-wide Risk Management Committee (ERMC), chaired by the
Company’s Chief Risk Officer, and the Asset-Liability Committee
(ALCO), chaired by the Company’s Chief Financial Officer, which
oversee risks and implementation of risk policies across the Company
with approval by the appropriate board committee. The ERMC is
responsible for overseeing all risks, while the ALCO is responsible for
managing market, liquidity, asset/liability risk, and the Company’s
capital position.
As defined in the ERM policy, the Company follows the “three lines
of defense” approach to risk management. The first line of defense
comprises functions and management committees directly initiating risk
taking. Business Unit presidents, the Chief Credit Officer of the
Company, the Chief Operational Risk Officer, and the Chief Market
Risk Officer are part of the first line of defense. The second line of
defense comprises functions overseeing risk taking activities of the first
line. The Global Risk Oversight (GRO) and Market Risk Oversight
groups, the ERMC and certain control groups, both at the enterprise
level and within regulated entities, are part of the second line of defense.
The GRO oversees the framework and processes for managing credit,
operational and model risks the Company faces and
43