Strategic Risk is the risk that Capital One fails to achieve short and long-term business objectives because we fail to develop the products, capabilities, and competitive position necessary to attract consumers, compete with competitors and withstand market volatility. The result is a failure to deliver returns expected by stakeholders (customers, associates, shareholders, investors, communities, and regulators). The Chief Executive Officer is the accountable executive for Capital One strategy. The Strategy Executive serves as the Risk Steward for strategy risk identification, aggregation, and mitigation on behalf of the Chief Executive Officer. The Chief Executive Officer, together with the strategy executive, develops an overall corporate strategy and leads alignment of the entire organization with this strategy through definition of strategic imperatives and top-down communication. The Chief Executive Officer and other senior executives spend significant time throughout the entire company sharing the company’s strategic imperatives to promote an understanding of our strategy and connect it to day-to-day associate activities to enable effective execution. Division Presidents are accountable for defining business strategy within the context of the overall corporate level strategy and Strategic Imperatives. Division Presidents review their strategies with the strategy group to assess strategy viability and identify and mitigate risks. Business strategies are integrated into the Corporate Strategic Plan and are reviewed and approved separately and together on an annual basis by the Chief Executive Officer and Board of Directors. Operational Risk is the risk of direct or indirect financial loss from failed or inadequate processes, associate capabilities or systems, or exposure to external events. The risk of financial loss associated with litigation is also included under operational risk. The Chief Risk Officer is the accountable executive for establishment of risk management standards and for governance and monitoring of operational risk at a corporate level. Division Presidents have primary accountability for management of operational risk within their business areas. The Operational Risk Management Executive is the Risk Steward for operational risk. While most operational risks are managed and controlled by business areas, the Operational Risk Management Program establishes requirements and control processes that assure certain consistent practices in the management of operational risk, and provides transparency to the corporate operational risk profile. Our Operational Risk Management Program also includes two primary additional functions. Operational Risk Reporting involves independent assessments of the control and sustainability of key business processes at a corporate and business area level, and such assessments are provided to the Chief Risk Officer, Risk Management Committee, and Audit and Risk Committee. The Operational Risk Capital function, in conjunction with the corporate capital process managed by Global Finance, establishes necessary operational risk capital levels to assure resiliency against extreme operational risk event scenarios. Operational Risk results and trends are reported to the Risk Management Committee and the Audit and Risk Committee of the Board. Compliance Risk is the risk of financial loss due to regulatory fines or penalties, restriction or suspension of business, or cost of mandatory corrective action as a result of failing to adhere to applicable laws, regulations, and supervisory guidance. Division Presidents are the accountable executives for compliance risk and are responsible for building and maintaining compliance processes and providing required reporting to the Risk Steward. With the Chief Compliance Officer, Division Presidents are jointly accountable for ensuring the Compliance Management Program requirements are met for their division. The Chief Compliance Officer is the Risk Steward. We ensure compliance by maintaining an effective Compliance Management Program consisting of sound policies, systems, processes, and reports. The Compliance Management Program provides management with guidance, training, and monitoring to provide reasonable assurance of our compliance with internal and external compliance requirements. Additionally, management and the Corporate Compliance department jointly and separately conduct on-going monitoring and assess the state of compliance. The assessment provides the basis for performance reporting to management and the Board, allows business areas to determine if their compliance performance is acceptable, and confirms effective compliance controls are in place. Business areas embed compliance requirements and controls into their business policies, standards, processes and procedures. They regularly monitor and report on the efficiency of their compliance controls. Corporate Compliance, jointly working with the business, defines and validates a standard compliance monitoring and reporting methodology. Compliance results and trends are reported to the Risk Management Committee and the Audit and Risk Committee of the Board. Legal Risk is the risk of material adverse impact due to: (i) new and changed laws and regulations; (ii) new interpretations of law; (iii) the drafting, interpretation and enforceability of contracts; (iv) adverse decisions or consequences arising from litigation or regulatory scrutiny; (v) the establishment, management and governance of our legal entity structure; and (vi) the failure to seek or follow appropriate Legal counsel when needed. 9