Strategic Risk is the risk that Capital One fails to achieve short and long-term business objectives because we fail to develop the
products, capabilities, and competitive position necessary to attract consumers, compete with competitors and withstand market
volatility. The result is a failure to deliver returns expected by stakeholders (customers, associates, shareholders, investors,
communities, and regulators).
The Chief Executive Officer is the accountable executive for Capital One strategy. The Strategy Executive serves as the Risk Steward
for strategy risk identification, aggregation, and mitigation on behalf of the Chief Executive Officer.
The Chief Executive Officer, together with the strategy executive, develops an overall corporate strategy and leads alignment of the
entire organization with this strategy through definition of strategic imperatives and top-down communication. The Chief Executive
Officer and other senior executives spend significant time throughout the entire company sharing the company’s strategic imperatives
to promote an understanding of our strategy and connect it to day-to-day associate activities to enable effective execution. Division
Presidents are accountable for defining business strategy within the context of the overall corporate level strategy and Strategic
Imperatives. Division Presidents review their strategies with the strategy group to assess strategy viability and identify and mitigate
risks. Business strategies are integrated into the Corporate Strategic Plan and are reviewed and approved separately and together on an
annual basis by the Chief Executive Officer and Board of Directors.
Operational Risk is the risk of direct or indirect financial loss from failed or inadequate processes, associate capabilities or systems, or
exposure to external events. The risk of financial loss associated with litigation is also included under operational risk.
The Chief Risk Officer is the accountable executive for establishment of risk management standards and for governance and
monitoring of operational risk at a corporate level. Division Presidents have primary accountability for management of operational
risk within their business areas. The Operational Risk Management Executive is the Risk Steward for operational risk.
While most operational risks are managed and controlled by business areas, the Operational Risk Management Program establishes
requirements and control processes that assure certain consistent practices in the management of operational risk, and provides
transparency to the corporate operational risk profile. Our Operational Risk Management Program also includes two primary
additional functions. Operational Risk Reporting involves independent assessments of the control and sustainability of key business
processes at a corporate and business area level, and such assessments are provided to the Chief Risk Officer, Risk Management
Committee, and Audit and Risk Committee. The Operational Risk Capital function, in conjunction with the corporate capital process
managed by Global Finance, establishes necessary operational risk capital levels to assure resiliency against extreme operational risk
event scenarios.
Operational Risk results and trends are reported to the Risk Management Committee and the Audit and Risk Committee of the Board.
Compliance Risk is the risk of financial loss due to regulatory fines or penalties, restriction or suspension of business, or cost of
mandatory corrective action as a result of failing to adhere to applicable laws, regulations, and supervisory guidance.
Division Presidents are the accountable executives for compliance risk and are responsible for building and maintaining compliance
processes and providing required reporting to the Risk Steward. With the Chief Compliance Officer, Division Presidents are jointly
accountable for ensuring the Compliance Management Program requirements are met for their division. The Chief Compliance
Officer is the Risk Steward.
We ensure compliance by maintaining an effective Compliance Management Program consisting of sound policies, systems,
processes, and reports. The Compliance Management Program provides management with guidance, training, and monitoring to
provide reasonable assurance of our compliance with internal and external compliance requirements. Additionally, management and
the Corporate Compliance department jointly and separately conduct on-going monitoring and assess the state of compliance. The
assessment provides the basis for performance reporting to management and the Board, allows business areas to determine if their
compliance performance is acceptable, and confirms effective compliance controls are in place. Business areas embed compliance
requirements and controls into their business policies, standards, processes and procedures. They regularly monitor and report on the
efficiency of their compliance controls. Corporate Compliance, jointly working with the business, defines and validates a standard
compliance monitoring and reporting methodology. Compliance results and trends are reported to the Risk Management Committee
and the Audit and Risk Committee of the Board.
Legal Risk is the risk of material adverse impact due to: (i) new and changed laws and regulations; (ii) new interpretations of law;
(iii) the drafting, interpretation and enforceability of contracts; (iv) adverse decisions or consequences arising from litigation or
regulatory scrutiny; (v) the establishment, management and governance of our legal entity structure; and (vi) the failure to seek or
follow appropriate Legal counsel when needed.
9