American Express 2014 Annual Report Download - page 52

Download and view the complete annual report

Please find page 52 of the 2014 American Express annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 130

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130

AMERICAN EXPRESS COMPANY
2014 FINANCIAL REVIEW
Similar to Individual Credit Risk, business units taking institutional credit risks are supported by Chief Credit Officers. These officers are
guided by the Institutional Risk Management Committee (IRMC), which is responsible for implementation and enforcement of the
Institutional Credit Risk Management Policy and for providing guidance to the credit officers of each business unit with substantial
institutional credit risk exposures. The committee, along with the business unit Chief Credit Officers, makes investment decisions in core risk
capabilities, ensures proper implementation of the underwriting standards and contractual rights of risk mitigation, monitors risk exposures,
and determines risk mitigation actions. The IRMC formally reviews large institutional risk exposures to ensure compliance with ERMC
guidelines and procedures and escalates them to the ERMC as appropriate.Atthesametime,theIRMCprovidesguidancetothebusiness
unit risk management teams to optimize risk-adjusted returns on capital. A centralized risk rating unit and a specialized airline risk group
provide risk assessment of our institutional obligors.
Exposure to the Airline Industry
We have multiple important co-brand, rewards and corporate payments arrangements with airlines. The ERM program evaluates the risks
posed by our airline partners and the overall airline strategy to all functions within the Company through comprehensive business analysis of
global airlines. Our largest airline partner is Delta, and this relationship includes exclusive co-brand credit card partnerships and other
arrangements including Membership Rewards redemption, merchant acceptance, travel and corporate payments. See Part I, Item 1A, “Risk
Factors” in our Annual Report on Form 10-K for the year ended December 31, 2014.
Sovereign Debt Exposure
As part of our ongoing risk management process, we monitor our financial exposure to both sovereign and non-sovereign customers and
counterparties, and measure and manage concentrations of risk by geographic regions, as well as by economic sectors and industries. A
primary focus area for monitoring is credit deterioration due to weaknesses in economic and fiscal profiles. We evaluate countries based on
the market assessment of the riskiness of their sovereign debt and our assessment of our economic and financial outlook and closely monitor
those deemed high risk. As of December 31, 2014, we considered our gross credit exposures to government entities, financial institutions and
corporations in those countries deemed high risk to be individually and collectively not material.
OPERATIONAL RISK MANAGEMENT PROCESS
We define operational risk as the risk of not achieving business objectives due to inadequate or failed processes, people, or information
systems, or the external environment, including failures to comply with laws and regulations. Operational risk is inherent in all business
activities and can impact an organization through direct or indirect financial loss, brand damage, customer dissatisfaction, or legal and
regulatory penalties.
To appropriately measure and manage operational risk, we have implemented a comprehensive operational risk framework that is defined
in the Operational Risk Management Policy approved by the Risk Committee. The Operational Risk Management Committee (ORMC)
coordinates with all control groups on effective risk assessments and controls and oversees the preventive, responsive and mitigation efforts
by Lead Operational Risk Officers in the business units and staff groups. To preserve independence, the Lead Operational Risk Officers for all
business units report to our Chief Operational Risk Officer, who in turn reports directly to our Chief Risk Officer.
We use the operational risk framework to identify, measure, monitor and report inherent and emerging operational risks. This
framework, supervised by the ORMC, consists of (a) operational risk event capture, (b) a project office to coordinate issue management and
control enhancements, (c) key risk indicators such as customer complaints or pre-implementation test metrics, and (d) process and entity-
level risk assessments.
The framework requires the assessment of operational risk events to determine root causes, impact to customers and/or us, and resolution
plan accountability to correct any defect, remediate customers, and enhance controls and testing to mitigate future issues. Our impact is
assessedfromanoperational,financial,brand,regulatory compliance and legal perspective.
INFORMATION SECURITY, PRIVACY, AND DATA GOVERNANCE
We have implemented an Information Security Framework and Operating Model that is designed to protect information and information
systems from unauthorized access, use, disclosure, disruption, modification or destruction.
Chaired by the Chief Information Security Officer, our Information Security Risk Management Committee, a sub-committee of the
ORMC, provides oversight and governance for our information security risk management activities. In addition, the committee is responsible
for establishing cyber risk tolerances and in managing cyber crisis preparedness.
52