American Express 2015 Annual Report Download - page 97

Download and view the complete annual report

Please find page 97 of the 2015 American Express annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 196

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196

Similar to Individual Credit Risk, business units taking institutional credit risks are supported by Chief Credit
Officers. These officers are guided by the Institutional Risk Management Committee (IRMC), which is responsible for
implementation and enforcement of the Institutional Credit Risk Management Policy and for providing guidance to the
credit officers of each business unit with substantial institutional credit risk exposures. The committee, along with the
business unit Chief Credit Officers, makes investment decisions in core risk capabilities, ensures proper
implementation of the underwriting standards and contractual rights of risk mitigation, monitors risk exposures, and
determines risk mitigation actions. The IRMC formally reviews large institutional risk exposures to ensure compliance
with ERMC guidelines and procedures and escalates them to the ERMC as appropriate. At the same time, the IRMC
provides guidance to the business unit risk management teams to optimize risk-adjusted returns on capital. A
centralized risk rating unit and a specialized airline risk group provide risk assessment of our institutional obligors.
Exposure to the Airline Industry
We have multiple important cobrand, rewards, merchant acceptance and corporate payments arrangements with
airlines. The ERM program evaluates the risks posed by our airline partners and the overall airline strategy
companywide through comprehensive business analysis of global airlines. Our largest airline partner is Delta, and this
relationship includes exclusive cobrand credit card partnerships and other arrangements including Membership
Rewards redemption, merchant acceptance, travel and corporate payments. See “Risk Factors.”
Sovereign Debt Exposure
As part of our ongoing risk management process, we monitor our financial exposure to both sovereign and non-
sovereign customers and counterparties, and measure and manage concentrations of risk by geographic regions, as
well as by economic sectors and industries. A primary focus area for monitoring is credit deterioration due to
weaknesses in economic and fiscal profiles. We evaluate countries based on the market assessment of the riskiness of
their sovereign debt and our assessment of our economic and financial outlook and closely monitor those deemed
high risk. As of December 31, 2015, we considered our gross credit exposures to government entities, financial
institutions and corporations in those countries deemed high risk to be individually and collectively not material.
OPERATIONAL RISK MANAGEMENT PROCESS
We define operational risk as the risk of not achieving business objectives due to inadequate or failed processes,
people, or information systems, or the external environment, including failures to comply with laws and regulations.
Operational risk is inherent in all business activities and can impact an organization through direct or indirect financial
loss, brand damage, customer dissatisfaction, or legal and regulatory penalties.
To appropriately measure and manage operational risk, we have implemented a comprehensive operational risk
framework that is defined in the Operational Risk Management Policy approved by the Risk Committee. The
Operational Risk Management Committee (ORMC) coordinates with all control groups on effective risk assessments
and controls and oversees the preventive, responsive and mitigation efforts by Lead Operational Risk Officers in the
business units and staff groups. To preserve independence, the Lead Operational Risk Officers for all business units
report to our Chief Operational Risk Officer, who in turn reports directly to our Chief Risk Officer.
We use the operational risk framework to identify, measure, monitor and report inherent and emerging
operational risks. This framework, supervised by the ORMC, consists of (a) operational risk event capture, (b) a project
office to coordinate issue management and control enhancements, (c) key risk indicators such as customer
complaints or pre-implementation test metrics, and (d) process and entity-level risk assessments.
The framework requires the assessment of operational risk events to determine root causes, impact to customers
and/or us, and resolution plan accountability to correct any defect, remediate customers, and enhance controls and
testing to mitigate future issues. Our impact is assessed from an operational, financial, brand, regulatory compliance
and legal perspective.
INFORMATION SECURITY, PRIVACY, AND DATA GOVERNANCE
We have implemented an Information Security Framework and Operating Model that is designed to protect
information and information systems from unauthorized access, use, disclosure, disruption, modification or
destruction.
Chaired by the Chief Information Security Officer, our Information Security Risk Management Committee, a sub-
committee of the ORMC, provides oversight and governance for our information security risk management program.
In addition, the committee is responsible for establishing cyber risk tolerances and in managing cyber crisis
preparedness. The Information Security Oversight team provides challenges and independent assessment of the
information security program.
86