Bank of America

2004 report

Managing Risk

Overview

Our management governance structure enables us to manage all major aspects of our business
through an integrated planning and review process that includes strategic, financial, associate and
risk planning. We derive much of our revenue from managing risk from customer transactions
for profit. Through our management governance structure, risk and return are evaluated with a
goal of producing sustainable revenue, reducing earnings volatility and increasing shareholder
value. Our business exposes us to the following major risks: strategic, liquidity, credit, market
and operational.
Strategic risk is the risk that adverse business decisions, ineffective or inappropriate business
plans or failure to respond to changes in the competitive environment, business cycles, customer
preferences, product obsolescence, execution and/or other intrinsic risks of business will impact
our ability to meet our objectives. Liquidity risk is the inability to accommodate liability
maturities and deposit withdrawals, fund asset growth and meet contractual obligations through
unconstrained access to funding at reasonable market rates. Credit risk is the risk of loss arising
from a borrower's or counterparty’s inability to meet its obligations. Market risk is the risk that
values of assets and liabilities or revenues will be adversely affected by changes in market
conditions, such as interest rate movements. Operational risk is the risk of loss resulting from
inadequate or failed internal processes, people and systems or external events.

Risk Management Processes and Methods

We have established control processes and use various methods to align risk-taking and risk
management throughout our organization. These control processes and methods are designed
around “three lines of defense”: lines of business; support units (including Risk Management,
Compliance, Finance, Personnel and Legal); and Corporate Audit.
Management is responsible for identifying, quantifying, mitigating and managing all risks within
their lines of business, while certain enterprise-wide risks are managed centrally. For example,
except for trading-related business activities, interest rate risk associated with our business
activities is managed centrally in the Corporate Treasury function. Line of business management
makes and executes the business plan and is closest to the changing nature of risks and,
therefore, we believe is best able to take actions to manage and mitigate those risks. Our lines of
business prepare quarterly self-assessment reports to identify the status of risk issues, including
mitigation plans, if appropriate. These reports roll up to executive management to ensure
appropriate risk management and oversight, and to identify enterprise-wide issues. Our
management processes, structures and policies aid us in complying with laws and regulations and
provide clear lines for decision-making and accountability. Wherever practical, we attempt to
house decision-making authority as close to the customer as possible while retaining supervisory
control functions from both in and outside of the lines of business.
The Risk Management organization translates approved business plans into approved limits,
approves requests for changes to those limits, approves transactions as appropriate, and works
closely with lines of business to establish and monitor risk parameters. Risk Management has
assigned a Risk Executive to each of the four lines of business who is responsible for the
oversight of all risks associated with that line of business. In addition, Risk Management has
assigned Risk Executives to monitor enterprise-wide credit, market and operational risks.
Corporate Audit provides an independent assessment of our management and internal control
systems. Corporate Audit activities are designed to provide reasonable assurance that resources
are adequately protected; significant financial, managerial and operating information is
materially complete, accurate and reliable; and employees’ actions are in compliance with
corporate policies, standards, procedures, and applicable laws and regulations.
We use various methods to manage risks at the line of business levels and corporate-wide.
Examples of these methods include planning and forecasting, risk committees and forums, limits,
models, and hedging strategies. Planning and forecasting facilitates analysis of actual versus
planned results and provides an indication of unanticipated risk level. Generally, risk committees
and forums are comprised of line of business, risk management, compliance, legal and finance
personnel, among others, who actively monitor performance against plan, limits, potential issues,
and introduction of new products. Limits, the amount of exposure that may be taken in a product,
relationship, region or industry, seek to align risk goals with those of each line of business and
are part of our overall risk management process to help reduce the volatility of market, credit and
operational losses. Models are used to estimate market value and net interest income sensitivity,
and to estimate both expected and unexpected losses for each product and line of business, where
appropriate. Hedging strategies are used to manage the risk of borrower or counterparty
concentration risk and to manage market risk in the portfolio.
The formal processes used to manage risk represent only one portion of our overall risk
management process. Corporate culture and the actions of our associates are also critical to
effective risk management. Through our Code of Ethics, we set a high standard for our
associates. The Code of Ethics provides a framework for all of our associates to conduct
themselves with the highest integrity in the delivery of our products or services to our customers.
We instill a risk-conscious culture through communications, training, policies, procedures, and
organizational roles and responsibilities. Additionally, we continue to strengthen the linkage
between the associate performance management process and individual compensation to
encourage associates to work toward corporate-wide risk goals.

Oversight
The Board evaluates risk through the Chief Executive Officer (CEO) and three committees. The
Finance Committee, a committee appointed by the Board, establishes policies and strategies for
managing the strategic, liquidity, credit, market and operational risks to corporate earnings and
capital. The Asset Quality Committee, a Board committee, reviews credit and selected market
risks; and the Audit Committee, a Board committee, provides direct oversight of the corporate
audit function and the independent registered public accounting firm. Additionally, senior
management oversight of our risk-taking and risk management activities is conducted through
three senior management committees: the Risk and Capital Committee (RCC), the Asset and
Liability Committee (ALCO) and the Credit Risk Committee (CRC). The RCC, a senior
management committee, reviews corporate strategies and corporate objectives, evaluates
business performance, and reviews business plans, including capital allocation, for the
Corporation and for major businesses. The ALCO, a subcommittee of the Finance Committee,
approves limits for trading activities, and was established to manage the risk of loss of value and
related Net Interest Income of our trading positions. ALCO also provides oversight for Corporate
Treasury’s and Corporate Investment’s process of managing interest rate risk, otherwise known
as the ALM process, and reviews hedging techniques. In addition, ALCO provides oversight
guidance over our credit hedging program. The CRC, a subcommittee of the Finance Committee,
establishes corporate credit practices and limits, including industry and country concentration
limits, approval requirements and exceptions. The CRC also reviews business asset quality
results versus plan, portfolio management, and the adequacy of the allowance for credit losses.
Each committee and subcommittee has the ability to delegate authority to officers of
subcommittees to manage specific risks.
Management is in the process of finalizing its plans to address the Basel Committee on Banking
Supervision's new risk-based capital standards (Basel II). The Finance Committee and the Audit
Committee provide oversight of management's plans including the Corporation's preparedness
and compliance with Basel II. For additional information, see Note 14 of the Consolidated
Financial Statements.
In 2005, the Finance Committee chartered the Compliance and Operational Risk Committee
(CORC) as a subcommittee of the Finance Committee. CORC provides oversight and consistent
communication of operational and compliance issues.
The following sections, Strategic Risk Management, Liquidity Risk Management, Credit Risk
Management, Market Risk Management and Operational Risk Management, address in more
detail the specific procedures, measures and analyses of the major categories of risk that we
manage.