Sallie Mae 2014 Annual Report Download - page 66

Download and view the complete annual report

Please find page 66 of the 2014 Sallie Mae annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 146

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146

The adoption by the Board of Directors of a formal Enterprise Risk Management Policy to support compliance
with the ERM framework;
The continued evolution of the internal risk oversight framework to achieve greater clarity and strengthen decision
making; and
Continued investment in the ERM function to ensure it is fit for purpose for the challenges facing the business and
the Industry.
The Governance Framework
Our overall objective pertaining to risk and control is to ensure all significant risks inherent in our business can be
identified, remediated, controlled and monitored. To this end, we have adopted the “three lines of defense” governance
framework. Specifically, the business units form the “first line of defense” and are the “owners” of risks present in our business
activities. As the owners of risk, the first line of defense is accountable for the day-to-day execution of risk and control policy
and procedures. The “second line of defense” (e.g. Enterprise Risk Management and Compliance) provides oversight of the
execution by the first line of defense. Rather than focused on execution, the second line of defense is accountable for the
related policy and standards executed upon by the first line of defense. Finally, the Internal Audit function comprises the “third
line of defense.” The Internal Audit function provides opinions to the Board on the effectiveness of the first and second lines of
defense. The lines of defense distinction determines accountabilities; the ERM framework contains the processes and
infrastructure necessary to deliver on those accountabilities.
Key Roles and Responsibilities
Individual accountabilities for risk management are held at multiple levels of our organization, including the Board of
Directors and its committees. These accountabilities are clearly articulated in terms of policies, committee charters and the
ERM framework and its components. Each business or functional area within our organization is responsible for managing its
specific risks utilizing agreed upon processes and procedures developed in collaboration with the risk management and control
teams.
Board of Directors. The Board of Directors, directly and through its standing committees, is responsible for overseeing
our overall strategic and business planning activities and, through the activities of its Risk Committee, providing oversight to
our the risk and control activities. Specifically, the Board reviews and approves the ERM framework, its policy and governance
components, annually. The Board requires management to provide periodic updates on compliance with the enterprise risk
management framework as well as emerging or horizon risks.
Standing committees of our Board of Directors include Risk, Audit, Nominations, Governance & Compensation;
Preferred Stock Committees, and a Compliance Committee of the Bank Board of Directors. Charters for each committee
providing their specific responsibilities and areas of risk oversight are published at www.salliemae.com under “Investors-
Corporate Governance.” Additional information regarding their activities and responsibilities will be contained in the
“Corporate Governance” section of our proxy statement to be filed on Schedule 14A relating to our 2015 Annual Meeting of
Stockholders (the “2015 Proxy Statement”) and is incorporated herein by reference.
Chief Executive Officer. The Chief Executive Officer is ultimately responsible for ensuring proper oversight, management
and reporting to the Board of Directors regarding our risk management practices and the timely escalation of any significant
issues. The Chief Executive Officer is responsible for setting the tone across the Company pertaining to risk management and
overseeing business compliance with the ERM framework, the risk appetite statement and the annual business plan.
Chief Risk Officer. The Chief Risk Officer is responsible for the effectiveness of the ERM framework, the risk appetite
statement and related governance components. Additionally, the CRO is responsible for establishing processes relating to risk
reporting, issues management, escalation to the ERC and, as required, independent reporting to the Board.
Enterprise Risk Management Policy and Framework
The ERM Policy and framework are designed to provide a holistic perspective of risk and control performance across the
Company. The Policy, which is approved annually by the Board of Directors, outlines the framework used to ensure that risk
and control issues across the enterprise are identified, remediated, controlled and escalated. The Bank’s overall governance
structure is organized to support the effective execution of the ERM framework and compliance with this Policy.
The risk appetite statement is a central component of the ERM framework. The risk appetite statement establishes the
level of risk we are willing to accept within each risk category, described below, in pursuit of our business objectives. Our risk
appetite is captured in a set of performance metrics specific to our business activities, both quantitative and qualitative. These
metrics have corresponding thresholds and limits and are adopted as operating standards. Compliance with our risk appetite is
64