STI 2018 Annual Report

57 overseeing enterprise risk management (i.e., credit, market, liquidity, operational, technology, compliance, reputational, and strategic risk), enterprise capital adequacy, and material regulatory matters. The CRO provides overall vision, direction, and leadership regarding our enterprise risk management framework and risk management culture. The CRO reports to the CEO and the BRC. Enterprise Risk establishes sound risk and governance frameworks, policies, procedures, and processes that focus on identifying, measuring, analyzing, managing, and reporting the risks that we face. Enterprise Risk fulfills its independent risk oversight responsibilities by developing, deploying, and monitoring enterprise-wide frameworks and policies to manage risk. At its core, Enterprise Risk's objective is to deliver sophisticated risk management capabilities throughout the organization that: • Align risk taking with the risk appetite established by the Board, • Identify, measure, analyze, manage, escalate, and report risk at the transaction, portfolio, and enterprise levels, • Support client facing businesses as they seek to balance risk taking with business and safety/soundness objectives, • Optimize decision making, • Promote sound processes and regulatory compliance, • Maximize shareholder value, and • Support our purpose of Lighting the Way to Financial Well- Being , support our performance promise of Leading the Movement for Financial Well-Being , and conform to our guiding principles of Client First , One Team , Executional Excellence , and Profitable Growth. Our risk management culture operates within the context of our broader, purpose-driven corporate culture. Risk awareness within our culture informs the manner in which teammates act in the absence of specific guidance. Our teammates are expected to: • Put the client first, • Exhibit strong personal and professional risk leadership, integrity, and ethics in all business dealings, • Understand risks encountered and demonstrate a commitment to managing risks through individual actions, • Demonstrate honesty, fairness, and respect in all internal and external interactions, and • Emphasize the importance of executional excellence in all activities. Our enterprise risk structure and processes are founded upon a comprehensive risk management roles and responsibilities framework, which delineates accountabilities across four dimensions. • Risk Owners develop and implement strategies to drive opportunities; own accountability for business risks and control design/effectiveness to operate within the policies, standards, and limits set byRiskOversight; escalate changes in the business or the risk environment that could affect risk appetite and control environment; and provide sufficient resources and infrastructure to manage activities to meet strategic objectives within risk appetite. • Business Controls identify and assess the risks the business takes or is exposed towhile conducting its activities; provide input to and accept articulation of risk appetite in policies, standards, and limits set byRiskOversight; provide business analyses and support; determine whether business activities operate within policies, standards, and limits; and facilitate ongoing risk and control self-assessments to document, monitor, and evaluate control design and effectiveness. • Risk Oversight provides independent oversight of all risk taking and risk management activities across all risk types and businesses; facilitates risk appetite expression by the Board within corporate strategic planning processes; sets risk management policies, standards, and limits; provides credible, independent challenge to risk owners and business' risk and control self-assessments; independently monitors, challenges, and reports on aggregate business results within risk appetite framework. • Risk Assurance provides independent assessments of the risk management and internal control framework and systems. The scope of these assessments includes, but is not limited to, compliance with policies, standards, and limits; effectiveness of the independent risk management function; completeness and accuracy of information; and independent assessment of credit quality. In practice, risk measurement activities occur at all levels of the organization. Enterprise Risk uses a variety of tools, reports, and analyses to evaluate specific exposures in order to: • Provide a holistic view of risks, • Present quantitative and qualitative assessments of current risks, which may be predictive of future risk trends and levels, and • Promote transparency by fostering direct communication between Executive Management and the Board. Enterprise risk governance is supported by a number of chartered risk-focused senior management committees. These “executive committees” are responsible for ensuring effective risk measurement and management within their respective areas of authority, and include the ERC, ALCO, CC, PMC, EBPC, TMC, and SIRC. • ERC is chaired by the CRO and supports the CRO in identifying, measuring, and managing the Bank’s aggregate risk profile. ERC maintains a comprehensive perspective of existing and prospective risks; the effectiveness of risk management frameworks, policies and activities; and the execution of risk management processes. • ALCO is chaired by the CFO and ensures that proper measurement, monitoring, management, and control processes are in place to achieve our ALM and liquidity risk management goals. • CC is also chaired by the CFO and ensures that the proper measurement, monitoring, management, and control processes are in place to achieve our strategic capital goals, while also continuing to manage our risk-capital balance to meet regulatory capital adequacy and stakeholder return expectations. • PMC is chaired by the Wholesale Segment Executive and facilitates the development of portfolio strategy that