Bank of America 2015 Annual Report Download - page 52

Download and view the complete annual report

Please find page 52 of the 2015 Bank of America annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 256

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242
  • 243
  • 244
  • 245
  • 246
  • 247
  • 248
  • 249
  • 250
  • 251
  • 252
  • 253
  • 254
  • 255
  • 256

50 Bank of America 2015
The CRO has the authority and independence to develop and
implement a meaningful risk management framework. The CRO
has unrestricted access to the Board and reports directly to both
the ERC and to the CEO. Global Risk Management is organized
into enterprise risk teams and FLU risk teams that work
collaboratively in executing their respective duties.
Within IRM, Global Compliance independently assesses
compliance risk, and evaluates adherence to applicable laws, rules
and regulations, including identifying compliance issues and risks,
performing monitoring and testing, and reporting on the state of
compliance activities across the Corporation. Additionally, Global
Compliance works with FLUs and control functions so that day-to-
day activities operate in a compliant manner.
Corporate Audit
Corporate Audit and the CGA maintain their independence from
the FLUs, IRM and other control functions by reporting directly to
the Audit Committee or the Board. The CGA administratively
reports to the CEO. Corporate Audit provides independent
assessment and validation through testing of key processes and
controls across the Corporation. Corporate Audit includes Credit
Review which periodically tests and examines credit portfolios and
processes.
Risk Management Processes
The Risk Framework requires that strong risk management
practices are integrated in key strategic, capital and financial
planning processes and day-to-day business processes across the
Corporation, with a goal of ensuring risks are appropriately
considered, evaluated and responded to in a timely manner.
We employ a risk management process, referred to as Identify,
Measure, Monitor and Control (IMMC) as part of our daily activities.
Identify – To be effectively managed, risks must be clearly defined
and proactively identified. Proper risk identification focuses on
recognizing and understanding all key risks inherent in our
business activities or key risks that may arise from external
factors. Each employee is expected to identify and escalate
risks promptly. Risk identification is an ongoing process,
incorporating input from FLUs and control functions, designed
to be forward looking and capture relevant risk factors across
all of our lines of business.
Measure – Once a risk is identified, it must be prioritized and
accurately measured through a systematic risk quantification
process including quantitative and qualitative components.
Risk is measured at various levels including, but not limited
to, risk type, FLU, legal entity and on an aggregate basis. This
risk quantification process helps to capture changes in our risk
profile due to changes in strategic direction, concentrations,
portfolio quality and the overall economic environment. Senior
management considers how risk exposures might evolve under
a variety of stress scenarios.
Monitor – We monitor risk levels regularly to track adherence to
risk appetite, policies, standards, procedures and processes.
We also regularly update risk assessments and review risk
exposures. Through our monitoring, we can determine our level
of risk relative to limits and can take action in a timely manner.
We also can determine when risk limits are breached and have
processes to appropriately report and escalate exceptions.
This includes immediate requests for approval to managers
and alerts to executive management, management-level
committees or the Board (directly or through an appropriate
committee).
Control – We establish and communicate risk limits and controls
through policies, standards, procedures and processes that
define the responsibilities and authority for risk-taking. The
limits and controls can be adjusted by the Board or
management when conditions or risk tolerances warrant.
These limits may be absolute (e.g., loan amount, trading
volume) or relative (e.g., percentage of loan book in higher-risk
categories). Our lines of business are held accountable to
perform within the established limits.
Among the key tools in the risk management process are the
Risk and Control Self Assessments (RCSAs). The RCSA process,
consistent with IMMC, is one of our primary methods for capturing
the identification and assessment of operational risk exposures,
including inherent and residual operational risk ratings, and control
effectiveness ratings. The end-to-end RCSA process incorporates
risk identification and assessment of the control environment;
monitoring, reporting and escalating risk; quality assurance and
data validation; and integration with the risk appetite. This results
in a comprehensive risk management view that enables
understanding of and action on operational risks and controls for
our processes, products, activities and systems.
The formal processes used to manage risk represent a part of
our overall risk management process. Corporate culture and the
actions of our employees are also critical to effective risk
management. Through our Code of Conduct, we set a high standard
for our employees. The Code of Conduct provides a framework for
all of our employees to conduct themselves with the highest
integrity. We instill a strong and comprehensive risk management
culture through communications, training, policies, procedures,
and organizational roles and responsibilities. Additionally, we
continue to strengthen the link between the employee performance
management process and individual compensation to encourage
employees to work toward enterprise-wide risk goals.
Corporation-wide Stress Testing
Integral to the Corporation’s Capital Planning, Financial Planning
and Strategic Planning processes is stress testing, which the
Corporation conducts on a periodic basis to better understand
balance sheet, earnings, capital and liquidity sensitivities to
certain economic and business scenarios, including economic and
market conditions that are more severe than anticipated. These
stress tests provide an understanding of the potential impacts
from the Corporation’s risk profile on the balance sheet, earnings,
capital and liquidity, and serve as a key component of the
Corporation’s capital and risk management. The intent of stress
testing is to develop a comprehensive understanding of potential
impacts of on- and off-balance sheet risks at the Corporation and
how they impact financial resiliency.
Contingency Planning Routines
We have developed and maintain contingency plans that are
designed to prepare us in advance to respond in the event of
potential adverse outcomes and scenarios. These contingency
planning routines include capital contingency planning, liquidity
contingency funding plans, recovery planning and enterprise
resiliency, and provide monitoring, escalation routines and
response plans. Contingency response plans are designed to
enable us to increase capital, access funding sources and reduce