STI 2018 Annual Report

58 addresses capital utilization, balance sheet optimization, and risk concentrations. • EBPC is chaired by the Chief Human Resources Officer and is in place to assess and make determinations regarding our business practices to ensure alignment with core purpose, principles, and values, and to share best practices. EBPC also serves as the forum for enterprise reputational risk exposures. • TMC is chaired by the CIO and provides a forum to discuss, debate, and challenge technology strategies and investments to ensure alignment of technology strategy execution across our organization. • SIRC is chaired by the CRO and is responsible for identifying constraints to business acceleration, challenging assumptions or execution strategies, and validating alignment with our purpose, risk appetite, and strategic direction. SIRC serves as a forum to further support executive level review of strategic initiatives, strategic investments, and strategic risk appetite. TheCEO, CFO, andCROaremembers of each of these executive committees. Additionally, other executive and senior officers are members of these committees based upon their responsibilities and subject matter expertise. Enterprise Risk continually refines our risk governance structures, frameworks and management limits, policies, procedures, and processes to reflect ongoing changes in our operating environment and/or corporate goals and strategies. Credit Risk Management Credit risk refers to the potential for economic loss arising from the failure of clients to meet their contractual agreements on all credit instruments, including on-balance sheet exposures from loans, leases, and investment securities, as well as contingent exposures including unfunded commitments, letters of credit, credit derivatives, and counterparty risk under derivative products. As credit risk is an essential component of many of the products and services we provide to our clients, the ability to accurately measure and manage credit risk is integral to maintaining the long-run profitability and capital adequacy of our business. We commit to maintain and enhance a comprehensive credit system to meet business requirements and comply with evolving regulatory standards. Enterprise Risk establishes and oversees adherence to the credit risk management governance frameworks and policies, independently measures, analyzes, and reports on loan portfolio and risk trends, and actively participates in the formulation of our credit strategies. Credit risk officers and supporting teammates within our lines of business are direct participants in the origination, underwriting, and ongoing management of credit. They work to promote an appropriate balance between our risk management and business objectives through adherence to established policies, procedures, and standards. Credit Review, one of our independent assurance functions, regularly assesses and reports on business unit and enterprise asset quality, and the integrity of our credit processes. Additionally, total borrower exposure limits and concentration risks are established and monitored. Credit risk may be mitigated through purchase of credit loss protection via third party insurance and/or use of credit derivatives such as CDS. Borrower/counterparty (obligor) risk and facility risk is evaluated using our risk rating methodology, which is utilized in all lines of business. We use various risk models to estimate both expected and unexpected loss, which incorporates both internal and external default and loss experience. To the extent possible, we collect and use internal data to ensure the validity, reliability, and accuracy of our risk models used in default, severity, and loss estimation. See the “Critical Accounting Policies—Allowance for Credit Losses” section of this MD&A and Note 1, “Significant Accounting Policies,” to the Consolidated Financial Statements in this Form 10-K for information on our credit risk management activities as well as our ALLL accounting policy and determination. Information regarding our credit quality indicators can be found in Note 7, “Loans,” to the Consolidated Financial Statements in this Form 10-K. Operational Risk Management We face ongoing and emerging risks and regulations related to the activities that surround the delivery of banking and financial products, and we depend on our ability to process, record, and monitor a large number of client transactions on a continuous basis. As the potential for operational loss remains elevated and as client, public, and regulatory expectations regarding operational and information security have increased, we continue to enhance our efforts to safeguard and monitor our operational systems and infrastructure. We believe that effective management of operational risk, defined as the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events, plays a major role in both the level and the stability of our profitability. Our Enterprise Operational Risk Management function oversees an enterprise-wide framework intended to identify, assess, control, monitor, and report on operational risks. These processes support our goals tominimize future operational losses and strengthen our performance by maintaining sufficient capital to absorb operational losses that are incurred. Cybersecurity Risk Management Our business activities and operations rely on our systems, computers, software, data, networks, the internet, and digital applications, as well as the systems and infrastructure of third parties. Our business, financial, accounting, data processing, or other systems or infrastructure may stop operating properly or become disabled or damaged as a result of a number of factors and influences that are wholly or partially beyond our control, such as potential failures, disruptions, or breakdowns, whether as a result of human error or intentional attack, as well as market conditions, fraudulent activities, natural disasters, electrical or telecommunications outages, political or social matters including terrorist acts, country risk, vendor risk, cyber-attacks, or other security risks. The use of digital technologies introduces cybersecurity risk that can manifest in the form of information theft, criminal acts by individuals, groups, or nation states, or other disruptions to our Company's, clients', or third parties'