Bank of America 2014 Annual Report Download - page 56

Download and view the complete annual report

Please find page 56 of the 2014 Bank of America annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 272

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242
  • 243
  • 244
  • 245
  • 246
  • 247
  • 248
  • 249
  • 250
  • 251
  • 252
  • 253
  • 254
  • 255
  • 256
  • 257
  • 258
  • 259
  • 260
  • 261
  • 262
  • 263
  • 264
  • 265
  • 266
  • 267
  • 268
  • 269
  • 270
  • 271
  • 272

54 Bank of America 2014
Management Committees
Management committees may receive their authority from the
Board, a Board committee, another management committee or
from one or more executive officers. The primary management-
level risk committee for the Corporation is the Management Risk
Committee (MRC). Subject to Board oversight, the MRC is
responsible for management oversight of all key risks facing the
Corporation. The MRC provides management oversight of the
Corporation’s credit portfolio, compliance and operational risk
programs, balance sheet and capital management, funding
activities and other liquidity activities, stress testing, trading
activities, recovery and resolution planning, model risk, subsidiary
governance and activities between banks and their nonbank
affiliates pursuant to Federal Reserve rules and regulations. The
MRC is responsible for holistic risk management, including an
integrated evaluation of risk, earnings, capital and liquidity, and it
reports on these matters to the Board or Board committees.
Lines of Defense
In addition to the role of Executive Officers in managing risk, we
have clear ownership and accountability across the three lines of
defense: FLUs, independent risk management and Corporate
Audit. The Corporation also has control functions outside of FLUs
and independent risk management (e.g., Legal and Global Human
Resources). The three lines of defense are integrated into our
management-level governance structure. Each of these is
described in more detail below.
Executive Officers
Executive officers lead various functions representing the
functional roles. Authority for functional roles may be delegated
to executive officers from the Board, Board committees or
management-level committees. Executive officers, in turn, may
further delegate responsibilities, as appropriate, to management-
level committees, management routines or individuals. Executive
officers review the Corporation’s activities for consistency with our
Risk Framework, Risk Appetite Statement, and applicable
strategic, capital and financial operating plans, as well as
applicable policies, standards, procedures and processes.
Executive officers and other employees make decisions
individually on a day-to-day basis, consistent with the authority they
have been delegated. Executive officers and other employees may
also serve on committees and participate in committee decisions.
Front Line Units
FLUs include the lines of business and two organizational units,
the Global Technology and Operations Group and Strategic
Initiatives. FLUs are held accountable by the CEO and the Board
for appropriately assessing and effectively managing all of the
risks associated with their activities.
Two organizational units that include FLU and control function
activities, but are not part of independent risk management are
the Chief Financial Officer (CFO) Group and Global Marketing and
Corporate Affairs (GM&CA).
Independent Risk Management
Independent risk management (IRM) is part of our control functions
and includes Global Risk Management and Global Compliance.
We have other control functions that are not part of IRM (other
control functions may also provide oversight to FLU activities),
including Legal, Global Human Resources and certain activities
within the CFO Group, and GM&CA. IRM, led by the CRO, is
responsible for independently assessing and overseeing risks
within FLUs and other control functions. IRM establishes written
enterprise policies and procedures that include concentration risk
limits where appropriate. Such policies and procedures outline
how aggregate risks are identified, measured, monitored and
controlled.
The CRO has the authority and independence to develop and
implement a meaningful risk management framework. The CRO
has unrestricted access to the Board and reports directly to both
the ERC and to the CEO. Global Risk Management is organized
into enterprise risk teams and FLU risk teams that work
collaboratively in executing their respective duties.
Within IRM, Global Compliance independently assesses
compliance risk, and evaluates adherence to applicable laws, rules
and regulations, including identifying compliance issues and risks,
performing monitoring and testing, and reporting on the state of
compliance activities across the Corporation. Additionally, Global
Compliance works with FLUs and control functions so that day-to-
day activities operate in a compliant manner.
Corporate Audit
Corporate Audit and the CGA maintain their independence from
the FLUs, IRM and other control functions by reporting directly to
the Audit Committee. The CGA administratively reports to the CEO.
Corporate Audit provides independent assessment and validation
through testing of key processes and controls across the
Corporation. Corporate Audit includes Credit Review which
periodically tests and examines credit portfolios and processes.
Risk Management Processes
The Corporation’s Risk Framework requires that strong risk
management practices are integrated in key strategic, capital and
financial planning processes and day-to-day business processes
across the Corporation, with a goal of ensuring risks are
appropriately considered, evaluated and responded to in a timely
manner.
We employ a risk management process, referred to as IMMC:
Identify, Measure, Monitor and Control, as part of our daily
activities.
Identify – To be effectively managed, risks must be clearly defined
and proactively identified. Proper risk identification focuses on
recognizing and understanding all key risks inherent in our
business activities and risks that may arise from business
initiatives or external factors. Risk identification is an ongoing
process occurring at both the individual transaction and
portfolio level. Each employee is expected to identify and
escalate risks promptly.
Measure – Once a risk is identified, it must be measured. Risk is
measured at various levels including, but not limited to, risk
type, FLU, legal entity and on an aggregate basis. These metrics
help us assess our risk profile and adherence to our risk
appetite.
Monitor – We monitor risk levels regularly to track adherence to
risk appetites, policies, standards, procedures and processes.
Through our monitoring, we can determine our level of risk
relative to limits and can take action in a timely manner. We
also can determine when risk limits are breached and have
processes to appropriately report and escalate exceptions.
This includes immediate requests for approval to managers