American Express 2012 Annual Report Download - page 39

Download and view the complete annual report

Please find page 39 of the 2012 American Express annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 120

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120

AMERICAN EXPRESS COMPANY
2012 FINANCIAL REVIEW
RISK MANAGEMENT
GOVERNANCE
Risk management and key risks identified by management are
overseen by the Company’s Board of Directors and two of its
committees: the Audit, Risk and Compliance Committee and the
Compensation and Benefits Committee. Both committees consist
solely of independent directors and provide regular updates to
the Board of Directors.
The Audit, Risk and Compliance Committee approves key risk
management policies, and monitors the Company’s risk culture,
personnel, capabilities and outcomes. The Committee approves
the Enterprise-wide Risk Management Policy along with its sub-
policies governing individual credit risk, institutional credit risk,
market risk, liquidity risk, operational risk, asset/liability risk
and capital management, as well as the launch of new products
and services. The Committee receives regular reports about key
risks affecting the Company, including their potential likelihood
and impact, as well as risk escalation and compliance with the
policy-based risk limits. The Committee regularly reviews the
credit risk profiles of the major business units, including their
risk trends and risk management capabilities. It also reviews
enterprise-wide operational risk trends, events and capabilities,
with an emphasis on compliance, fraud, legal, information
security, and privacy impacts; as well as trends in market,
funding, liquidity and reputational risk. The Committee meets
regularly in private sessions with the Company’s Chief Risk
Officer and other senior management with regard to the
Company’s risk management processes, controls and capabilities.
The Compensation and Benefits Committee works with the
Chief Risk Officer to ensure that the compensation programs
covering risk-taking employees, business units, and the
Company overall appropriately balance risk with incentives and
that business performance is achieved without taking imprudent
risks. The Company‘s Chief Risk Officer is actively involved in
the goal-setting process; reviews the current and forward-looking
risk profiles of each business unit; and provides input into
performance evaluation. The Chief Risk Officer attests to the
Compensation and Benefits Committee that performance goals
and actual results have been achieved without taking imprudent
risks. The Compensation and Benefits Committee uses a risk-
balanced incentive compensation framework to decide on the
Company’s bonus pools and the compensation of senior
executives.
There are several internal management committees, including
the Enterprise-wide Risk Management Committee (ERMC),
chaired by the Company’s Chief Risk Officer, and the Asset-
Liability Committee (ALCO), chaired by the Company’s Chief
Financial Officer, which support the Audit, Risk and Compliance
Committee of the Board of Directors in overseeing risks across
the Company. The ERMC is responsible for credit, operational
and reputational risks, while the ALCO is responsible for market,
liquidity, asset/liability risk and capital. In 2012, the ERMC
created a dedicated compliance sub-committee.
The Enterprise-wide Risk Management Policy defines risk
management roles and responsibilities. The policy sets the
Company’s risk appetite and defines governance over risk taking
and the risk monitoring processes across the Company. Risk
appetite defines the overall risk levels the Company is willing to
accept while operating in full compliance with regulatory and
legal requirements. In addition, it establishes principles for risk
taking in the aggregate and for each risk type, and is supported
by a comprehensive system of risk limits, escalation triggers and
controls designed to ensure that the risks remain within the
defined risk appetite boundaries.
The Policy also defines the Company’s “three lines of defense”
approach to risk management. Business Unit presidents are
supported by Chief Credit and Lead Operational Risk Officers,
who lead the first line of defense. The Global Risk Oversight
group (described below) is the second line of defense and
provides oversight of risks across the Company that is
independent from the first line of defense. The Internal Audit
Group constitutes the third line of defense, ensuring that the first
and second lines operate as intended.
GLOBAL RISK OVERSIGHT
The Global Risk Oversight (GRO) group provides the Chief Risk
Officer with its independent assessment of risks. The GRO seeks
to ensure that key risk management policies are consistently
implemented and enforced throughout the Company, including
risk-based limits and escalations. In addition, the GRO is
responsible for aggregation and reporting of risks across risk
types, business units and geography and maintains enterprise-
wide standards, procedures, tools and processes for managing
credit and operational risks. The head of GRO has a solid line
reporting relationship to the Company’s Chief Risk Officer.
CREDIT RISK MANAGEMENT
Credit risk is defined as loss due to obligor or counterparty
default or changes in the credit quality of a security. Credit risks
in the Company are divided into two broad categories: individual
and institutional. Each has distinct risk management tools and
metrics. Business units that create individual or institutional
credit risk exposures of significant importance are supported by
dedicated risk management teams, each led by a Chief Credit
Officer. To preserve independence, Chief Credit Officers for all
business units have a solid line reporting relationship to the
Company’s Chief Risk Officer.
INDIVIDUAL CREDIT RISK
Individual credit risk arises principally from consumer and small
business charge cards, credit cards, lines of credit, and loans.
These portfolios consist of millions of customers across multiple
geographies, occupations, industries and levels of net worth. The
Company benefits from the high-quality profile of its customers,
which is driven by brand, premium customer servicing, product
features and risk management capabilities, which span
underwriting, customer management and collections. Externally,
the risk in these portfolios is correlated to broad economic
trends, such as unemployment rates and GDP growth, which can
affect customer liquidity.
37