A COSO Based Risk & Control Framework

1. Operational Risk Management A Proposal for Success

2. Mission Statement We will support management’s goals and objectives by providing independent monitoring and assessment of management’s key business processes to ensure all business risks are anticipated, recognized and appropriately addressed before they adversely affect the Company. We will assess, monitor and manage risks in a manner that integrates with management’s strategic objectives and the corporate decision making process. We will help management effectively and efficiently deploy resources by striking balance between growth, returns and related risk.

3. Objectives The primary objectives of the Operational Risk Program are to: Act decisively to identify and manage key risks. Enable an appropriate risk/reward balance in operational risk decisions. Delivery transparent reporting of key risks to enable informed decisions. Drive accountability and exercise appropriate authority. Ensure consistency through a common framework. Maintain independent oversight of business performance. Transfer ownership of risks and controls to the business units.

4. Risk Framework The operational risk framework consists of four fundamental elements designed to provide a consistent approach to managing risk across the Company. This framework is intended to correspond with the framework components of COSO. These framework components are Event Identification and Assessment, Risk Response and Control Activities, Monitoring and Reporting.

5. Identify and Assess Each business unit should understand and document key operational risks to the organization, complete periodic self assessments of the risk environment to confirm identified key risks and identify new or emerging risks and prioritize those risks to ensure focus on risks that present frequent risk to the business. A documented risk profile is in place and updated annually. Risk and Control self assessments are completed periodically. Scenario analysis workshops have appropriate representation and support from each business unit to enable identification of emerging risks. Any gaps identified will be documented and addressed. Operational loss collection is performed per the Operational Incident Policy to identify control weaknesses or areas for improvement.

6. Risk Response and Control Each business unit will document mitigation of key operational risks, including key controls, risk transfer and risk acceptance. Risk tolerance levels should be established to aid in the decisioning of mitigation activities. Mitigation actions for key risks identified in the annual risk assessment are documented. Key risks may be mitigated using controls, risk transfer or risk acceptance. Risk acceptance is documented with the following information: Description of risk. Date of decision to accept the risk. Officers who agreed to accept the risk and the date of the next review of the decision. Policies and procedures are in place and include controls that mitigate risks. Risk requirements are included in annual employee goals and training.

7. Monitor Each business unit will develop metrics to facilitate monitoring of the control environment. Risks that have been accepted will be reviewed periodically to ensure that acceptance remains the appropriate mitigation approach. Businesses develop key risk metrics to monitor performance of key controls and supplement enterprise metrics. Key risks and controls are monitored to ensure they continue to be effective in managing and reducing risk. Mitigation and action plans are monitored by the businesses to ensure plan activities are completed. Each business has a process to escalate operational risk issues identified through monitoring.

8. Report Each business unit will report metrics and risk assessment results to management and risk governance bodies. Key risks, mitigation actions and monitoring results are reported to the appropriate levels of management timely Business issues are escalated to line of business governance in a timely manner and line of business issues that could have an enterprise impact will be escalated to senior management timely.