Capital One 2010 Annual Report Download - page 89

Download and view the complete annual report

Please find page 89 of the 2010 Capital One annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 226

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226

69
Communication and Information infrastructures must be solid and are necessary to support the objective setting, risk assessment, and
control activities described above. Specific reports and communication infrastructure are defined within our individual risk category
policies. Our risk governance structure is designed to support solid and ongoing communication. Robust risk management requires
well-functioning communication channels to inform associates of their responsibilities, alert them to issues or changes that might
affect their activities, and to enable an open flow of information up, down, and across our company. Robust risk management also
requires management information to enable controls to work effectively and to support the analysis needed to set objectives and assess
risk accurately.
Program Monitoring is critical to our risk management program overall. Program monitoring assesses the accuracy, sufficiency, and
effectiveness of current objectives, risk assessments, controls, ownership, communication, and management support. The assessment
of a risk program or activity can be qualitative or quantitative. We encourage the use of measurement and metrics, where it is possible
and recognizing that some risks or programs cannot be measured quantitatively. Where deficiencies are discovered, we seek to update
the risk management program to resolve the deficiencies in a timely manner. Significant deficiencies are escalated to the appropriate
risk executive or risk committee. Clear accountability is defined when resolving deficiencies to ensure the desired outcome is
achieved. Risk management programs are monitored at every level; from the overall Enterprise Risk Management Program to the
individual risk management activities in each business area.
Organization and Culture is intended to create and maintain an effective risk management organization and culture. A strong
organization and culture promotes risk management as a key factor in making important business decisions and helps drive risk
management activities deeper into the company. An effective risk management culture starts with a well-defined risk management
philosophy. It requires established risk management objectives that align to business objectives and make targeted risk management
activities part of ongoing business management activities. We believe we staff risk functions at the appropriate levels with qualified
associates and effective tools that support risk management practices and activities. Senior management and the Board of Directors are
ultimately accountable for promoting adherence to sound risk principles and tolerances. We seek to incent associates at all levels to
perform according to corporate policies and risk tolerance and in conformity with applicable laws and regulations. Additionally,
management tries to ensure that performance goals, plans, and incentives are designed to promote financial performance within the
confines of a sound risk management program and within defined risk tolerances.
We have a corporate Code of Business Conduct and Ethics (the “Code”) (available on the Corporate Governance page of our website
at www.capitalone.com/about) under which each associate is obligated to behave with integrity in dealing with customers and
business partners and to comply with applicable laws and regulations. We disclose any waivers to the Code on our website. We also
have an associate performance management process that emphasizes achieving business results while ensuring integrity, compliance,
and sound business management.
Risk Appetite
We have a defined risk appetite for each of our eight risk categories that is approved by the Board of Directors. Each risk category has
its own risk appetite statement. Stated risk appetites, and the assessment framework that support them, define the guardrails for taking
and accepting risks and are used by senior management and the Board to make business decisions.
The risk appetite framework assesses each risk category across three dimensions, using consistent, comprehensive, and understandable
measures. The three dimensions are:
Net Risk: Assessment of the level of risk given internal and external factors
Quality of Governance and Controls: Evidence demonstrating the strength (or weakness) of our risk governance structure
and/or controls associated with the risk category and our ability to address issues
Mitigation Plan Status: When needed, the status of our key mitigation activity needed to reduce risk
All three framework dimensions are assessed and measured using a five-point scale. The assessment language in each scale is
customized by each risk steward to reflect the tolerance levels of each of the eight risk categories.
Risk Categories
Our risk management program is organized around eight risk categories. They are: