American Express 2011 Annual Report Download - page 40

Download and view the complete annual report

Please find page 40 of the 2011 American Express annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 113

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113

AMERICAN EXPRESS COMPANY
2011 FINANCIAL REVIEW
OPERATIONAL RISK MANAGEMENT PROCESS
The Company defines operational risk as the risk of not
achieving business objectives due to inadequate or failed
processes or information systems, human error or the external
environment (i.e., natural disasters) including losses due to
failures to comply with laws and regulations. Operational risk is
inherent in all business activities and can impact an organization
through direct or indirect financial loss, brand damage, customer
dissatisfaction, or legal and regulatory penalties.
In order to appropriately measure and manage operational
risk, the Company has developed a comprehensive operational
risk framework that is defined in the Operational Risk
Management Policy approved by the Audit and Risk Committee
of the Board of Directors. The Operational Risk Management
Committee (ORMC) coordinates and oversees the operational
risk mitigation efforts by Lead Operational Risk Officers in the
business units and staff groups, supported by the control groups.
The Company uses the operational risk framework to identify,
measure, monitor and report inherent and emerging operational
risks. This framework, supervised by the ORMC, consists of
(a) operational risk event capture, (b) a project office to
coordinate issue management and control enhancements, (c) key
risk indicators, and (d) process and entity-level risk self-
assessments.
The framework requires the assessment of operational risk
events to determine root causes, impacts and accountability for
risk mitigation. The impact on the Company is assessed from a
financial, brand, regulatory and legal perspective. The
operational risk model also assesses the frequency and likelihood
that events may occur again so that the appropriate mitigation
steps may be taken.
The process risk self-assessment methodology is used to
facilitate compliance with Section 404 of the Sarbanes-Oxley Act,
and is also used for non-financial operational risk self-
assessments. During the entity risk self-assessment, senior leaders
identify key operational risks in a business unit or staff group
and determine the Company’s risk mitigation plans.
REPUTATIONAL RISK MANAGEMENT PROCESS
The Company defines reputational risk as the risk that negative
public perceptions regarding the Company’s products, services,
business practices, management, clients and partners, whether
true or not, could cause a decline in the customer base, costly
litigation, or revenue reductions.
The Company views protecting its reputation as core to its
vision of becoming the world’s most respected service brand and
fundamental to its long-term success.
General principles and the overall framework for managing
reputational risk across the Company are defined in the
Reputational Risk Management Policy. The Reputational Risk
Management Committee is responsible for implementation of
and adherence to this policy, and for performing periodic
assessment of the Company’s reputation and brand health based
on internal and external assessments.
Business leaders across the Company are responsible for
ensuring that reputation risk implications of transactions,
business activities and management practices are appropriately
considered and relevant subject matter experts are engaged as
needed.
38