SunTrust 2015 Annual Report Download - page 88

Download and view the complete annual report

Please find page 88 of the 2015 SunTrust annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 196

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196

60
established policies, procedures, and standards. Risk Review,
one of our independent assurance functions, regularly assesses
and reports on business unit and enterprise asset quality, and the
integrity of our credit processes. Additionally, total borrower
exposure limits and concentration risk are established and
monitored. Credit risk may be mitigated through purchase of
credit loss protection via third party insurance and/or use of credit
derivatives such as CDS.
Borrower/counterparty (obligor) risk and facility risk is
evaluated using our risk rating methodology, which is utilized
in all lines of business. We use various risk models to estimate
both expected and unexpected loss, which incorporates both
internal and external default and loss experience. To the extent
possible, we collect and use internal data to ensure the validity,
reliability, and accuracy of our risk models used in default,
severity, and loss estimation.
Operational Risk Management
We face ongoing and emerging risks and regulations related to
the activities that surround the delivery of banking and financial
products. Coupled with external influences such as market
conditions, fraudulent activities, disasters, cyber-attacks and
other security risks, country risk, vendor risk, and legal risk, the
potential for operational and reputational loss remains elevated.
Our operations rely on computer systems, networks, the
internet, digital applications, and the telecommunications and
computer systems of third parties to perform business activities.
The use of digital technologies introduces cyber-security risk
that can manifest in the form of information theft, physical
disruptions, criminal acts by individuals, groups, or nation states,
and a client’s inability to access online services. We use a wide
array of techniques to secure our operations and proprietary
information such as Board approved policies and programs,
network monitoring, access controls, dedicated security
personnel, and defined insurance instruments, as well as consult
with third-party data security experts.
To control cyber-security risk, we maintain an active
information security program that conforms to FFIEC guidance.
This information security program is aligned with our
operational risks and is overseen by executive management, the
Board, and our independent audit function. It continually
monitors and evaluates threats, events, and the performance of
its business operations and continually adapts and modifies its
risk reduction activities accordingly. We also have a cyber
liability insurance policy that provides us with coverage against
certain losses. expenses, and damages associated with cyber risk.
Further, we recognize our role in the overall national
payments system and we have adopted the National Institute of
Standards and Technology Cyber Security Framework ("NIST
CSF"). We also fully participate in the federally recognized
financial sector information sharing organization structure,
known as the Financial Services Information Sharing and
Analysis Center ("FS-ISAC"). Digital technology is constantly
evolving, and new and unforeseen threats and actions by others
may disrupt operations or result in losses beyond our risk control
thresholds. Although we invest substantial time and resources to
manage and reduce cyber risk, it is not possible to completely
eliminate this risk.
We believe that effective management of operational risk,
defined as the risk of loss resulting from inadequate or failed
internal processes, people and systems, or from external events,
plays a major role in both the level and the stability of our
profitability. Our Operational Risk Management function
oversees an enterprise-wide framework intended to identify,
assess, control, monitor, and report on operational risks
Company-wide. These processes support our goals to minimize
future operational losses and strengthen our performance by
maintaining sufficient capital to absorb operational losses that
are incurred.
Operational Risk Management is overseen by our CORO,
who reports directly to the CRO. The operational risk governance
structure includes an operational risk manager and support staff
within each business segment and corporate function. These risk
managers are responsible for execution of risk management
within their areas in compliance with CRM's policies and
procedures.
Market Risk Management
Market risk refers to potential losses arising from changes in
interest rates, foreign exchange rates, equity prices, commodity
prices, and other relevant market rates or prices. Interest rate risk,
defined as the exposure of net interest income and MVE to
changes in interest rates, is our primary market risk and mainly
arises from the structure of our balance sheet. Variable rate loans,
prior to any hedging related actions, were approximately 60%
of total loans at December 31, 2015, and after giving
consideration to hedging related actions, were approximately
48% of total loans. Approximately 4-5% of our variable rate
loans at December 31, 2015 had coupon rates that were equal to
a contractually specified interest rate floor. In addition to interest
rate risk, we are also exposed to market risk in our trading
instruments measured at fair value. Our ALCO meets regularly
and is responsible for reviewing our open market positions and
establishing policies to monitor and limit exposure to market
risk.
Market Risk from Non-Trading Activities
The primary goal of interest rate risk management is to control
exposure to interest rate risk, within policy limits approved by
the Board. These limits and guidelines reflect our appetite for
interest rate risk over both short-term and long-term horizons.
No limit breaches occurred during the year ended December 31,
2015.
The major sources of our non-trading interest rate risk are
timing differences in the maturity and repricing characteristics
of assets and liabilities, changes in the shape of the yield curve,
and the potential exercise of freestanding or embedded options.
We measure these risks and their impact by identifying and
quantifying exposures through the use of sophisticated
simulation and valuation models, which, as described in
additional detail below, are employed by management to
understand net interest income sensitivity and MVE sensitivity.
These measures show that our interest rate risk profile is
moderately asset sensitive at December 31, 2015.
MVE and net interest income sensitivity are complementary
interest rate risk metrics and should be viewed together. Net
interest income sensitivity captures asset and liability repricing
mismatches for one year, inclusive of forecast balance sheet
changes, and is considered a shorter term measure, while MVE
sensitivity captures mismatches within the period end balance