Citigroup (C)

Policy

        The Citigroup Self-Assessment and Operational Risk Framework (the Framework) includes the Citigroup Risk and Control Self-Assessment Policy and the Citigroup Operational Risk Policy, which define Citigroup's approach to operational risk management.

        The Citigroup Operational Risk Policy codifies the core governing principles for operational risk management and provides a framework for operational risks consistent across the Company. Each major business segment must establish its own operational risk procedures, consistent with the corporate policy, and an approved operational risk governance structure. The Framework requires each business to identify its key operational risks as well as the controls established to mitigate those risks and to ensure compliance with laws, regulations, regulatory administrative actions, and Citigroup policies. It also requires that all businesses collect and report their operational risk losses.

        A formal governance structure is established through the Risk and Control Self-Assessment (RCSA) Policy to provide direction, oversight, and monitoring of Citigroup's RCSA programs. The RCSA Policy incorporates standards for risk and control assessment that are applicable to all businesses and staff functions; it establishes RCSA as the process whereby risks inherent in a business' activities are identified and the effectiveness of the key controls over those risks are evaluated and monitored. The objective of the policy is to establish a consistent approach to assessing relevant risks and the overall control environment across Citigroup. RCSA processes facilitate Citigroup's adherence to regulatory requirements, including Sarbanes-Oxley, FDICIA, the International Convergence of Capital Measurement and Capital Standards (Basel II), and other corporate initiatives, including Operational Risk Management and alignment of capital assessments with risk management objectives. The entire process is subject to audit by Citigroup's Audit and Risk Review, and the results of RCSA are included in periodic management reporting, including reporting to Senior Management and the Audit and Risk Committee.

Policy

        The Citigroup Self-Assessment and Operational Risk Framework (the Framework) includes the Citigroup Risk and Control Self-Assessment Policy and the Citigroup Operational Risk Policy, which define Citigroup's approach to operational risk management.

        The Citigroup Operational Risk Policy codifies the core governing principles for operational risk management and provides a framework for operational risks consistent across the Company. Each major business segment must establish its own operational risk procedures, consistent with the corporate policy, and an approved operational risk governance structure. The Framework requires each business to identify its key operational risks as well as the controls established to mitigate those risks and to ensure compliance with laws, regulations, regulatory administrative actions, and Citigroup policies. It also requires that all businesses collect and report their operational risk losses.

        A formal governance structure is established through the Risk and Control Self-Assessment (RCSA) Policy to provide direction, oversight, and monitoring of Citigroup's RCSA programs. The RCSA Policy incorporates standards for risk and control assessment that are applicable to all businesses and staff functions; it establishes RCSA as the process whereby risks inherent in a business' activities are identified and the effectiveness of the key controls over those risks are evaluated and monitored. The objective of the policy is to establish a consistent approach to assessing relevant risks and the overall control environment across Citigroup. RCSA processes facilitate Citigroup's adherence to regulatory requirements, including Sarbanes-Oxley, FDICIA, the International Convergence of Capital Measurement and Capital Standards (Basel II), and other corporate initiatives, including Operational Risk Management and alignment of capital assessments with risk management objectives. The entire process is subject to audit by Citigroup's Audit and Risk Review, and the results of RCSA are included in periodic management reporting, including reporting to Senior Management and the Audit and Risk Committee.