Unprecedented Events in 2008

1. Office of Financial Stability - Troubled Asset Relief ProgramImplementing Enterprise Risk Management in a Start-up Federal Organization

2. Unprecedented Events in 2008 2

3. OFS’ Challenges at inception Environment Encountered Risks • Siloed information • Disparate processing • Inability to create integrated reporting • High degree of manual processing • Version control issues with documents • Start-up organization (Inception: October 2008 resulting from passage of Emergency Economic Stabilization Act (EESA) • Programs to address liquidity and financial crisis were unclear • Expectation of rapid response • Limited experience leveraging from past crises • Processes not established • No policies or procedures • Heavy oversight demands (GAO, SIG TARP, Congressional Oversight Panel (COP) • Control environment changing rapidly • Non-existent Governance, Risk and Compliance activities 4

4. Identification of Existing ERM Frameworks In Use Based on COSO Internal Control and Enterprise Risk Management Frameworks and other best practices 6

5. Initial establishment of the OFS’ Methodology Design and implement risk mitigation actions Identify major risks and assign responsibility Define strategic objectives Test risk mitigation actions Set internal operational objectives Set risk and other objectives Monitor and report on risks Desired outcomes of overall program Overall objectives for OFS, including - Vision - Priorities - Operational norms Level of risk to undertake in - Financial - Market - Operational - People, Process and Systems - Strategic - Reputation Listing of major risks in the organization along with priority, timing and responsibility for addressing the risk Policies and procedures needed to manage level of risk Other actions as needed to mitigate risks Management information and reporting needed to ensure risks are within tolerances Periodic and independent testing of policies and procedures to ensure they are robust What Who Treasury policy officials Executive Committee (EC) in consultation with Treasury Management Executive Committee (EC) in consultation with Treasury Management Senior Assessment Team (SAT) in conjunction with OFS operating units (EC sets prioritization) OFS Operating units with support from CRCO and CFO OFS Operating units with support from CRCO and CFO - Reporting to SAT and EC CFO to test transactions processes, CRCO to test qualitative and performance measures How Policy development process EC meeting EC Risk Management meeting Discussion and in-depth interviews with staff leading to Risk Matrix Development of risk mitigation policies, procedures and other actions Regular reporting to SAT on status of risks Spread sheet tracking of risks and status 7

6. Goal was to achieve collaborative Enterprise Risk Management Risk Assessment Develop strategies for lowering risk Risk Mitigation Risk Scoping Force-Ranking of Risks • Location/Division • Statutory Group • Product Line • Commodity Group Inherent Risks Risk Mitigation Residual Risk Management Consensus Library of Risks Controls Gain management consensus for risk assessment e.g., • Financial • External, e.g., Political • Operational Internal Audit Risk Factors Compliance Strategy Self Audit 3rd Party Testing Risk Analytics Source: MetricStream 18

7. OFS’ Governance Environment established early Executive Committees - Joint Chiefs Meeting, Investment Committee, IT Governance Council, Contract and Agreement Review Board, Staffing Board Establish control environment Conduct risk assessments Senior Assessment Team Potential new functions Procurement Budget/Accounting Reporting/Compliance Human Resources Information Tech. Asset Purchases Asset Management Asset Sales Governance Internal and external monitoring Perform control activities by function Information and communication Program Functions Support functions Development and implementation of policies and procedures 8

8. Comprehensive view of the risks and controls OFS Risk Management Team Conduct risk assessments Asset Purchases Asset Management Asset Sales Potential new functions Procurement Budget/Accounting Reporting/Compliance Human Resources Information Tech. Process owners establish control environment Process owners execute control activities External monitoring from Oversight Organizations Business Functions Support functions Execute internal controls methodology for all components of the organization OFS Internal Controls Team 9

9. Linkage Between Risk Management and Internal Controls Tasks • Leveraging stakeholder interviews • Internal control over operations and financial reporting • Annual Assurance Statement • Sharing process flow documentation • Sharing risk control matrices • Leveraging test plans and results • Jointly leading the effort to develop office-wide policies and procedures 12

10. Initial Focus was on Operational Risk Assessments The following risk categories provide a common language for evaluating operating risks, and support an assessment of key risk areas. We begin our assessment with a list of generic questions for these risk categories and tailor the questions to the specific program or business support function being addressed Operating Risks People Process Technology External Events Reporting & Disclosure • Staffing Expertise & Adequacy • Employee Fraud & Theft • Staffing Workload • Skills • Training • Morale • Career Advancement • Supervision • New Product /Offerings/Structures • Transaction Sourcing • Transaction Processing • Vendor/Supplier • Data Quality • Legal/Compliance • Model Application • Model Design • Process Maturity • Awareness • Communication of the Process • Coordination with Other Areas • Policies and Procedures • Controls, Performance Metrics, • Transaction Processing • Stream Lining • Architecture, Configuration, Integration Design • Hardware • Software • Infrastructure • End User Computing • Security • Access • Tools • Backup • Continuity of Operations • Data Integrity • Enterprise Architecture • Change Management • External Fraud/Theft • Business Continuity • Financial Reporting & Disclosure • Regulatory Reporting • Securities Reporting & Disclosure Financial Reputational Political Strategic Compliance • Monetary Loss • Fraud Potential • Internal Controls • Mission Impact • Communication with Oversight Organizations • Linkage to enterprise risk-convergence of bottoms –up and top-down view of risk ( as discussed, we need to see the individual risks collectively to form a view of the strategic risk) • Contractual provisions with third parties such as financial agents, internal controls, EESA non-compliance (Executive Compensation, etc. ), controls to prevent fraud 11

11. Process of Conducting Risk Assessments • Choose high priority programs and business support areas • Identify key processes/lifecycle steps within each high priority area • Develop risk interview questions based on understanding of underlying processes supporting programs and business support areas • Interview key stakeholders for each program/business area (10-12) • Synthesize risks • Assign risk ratings (high, medium, low) • Develop mitigation plans for areas assigned high or medium risk rating • Report periodically on results of risk assessments and progress against mitigation plans 13

12. We are transitioning to evaluating other types of risk Programs CPP, PPIP, SBA, etc. • Credit Risk Criteria • Credit Grades (Ratings) • Yields (Credit Spreads) • Concentration Amounts • (By Sector, Asset and Class) • Market Risk Criteria • Duration (Fixed Income) • Volatility, Delta, Theta, • Rho (Options and Warrants) • Equity Beta (Common Stock) ProgramData Analytical Tool Risk Reporting and Monitoring 15

13. OFS’ approach to managing Compliance for TARP programs Compliance Requirements Compliance Activities at TARP • Laws Applicable to TARP • Economic Stability Act of 2008 (EESA) • American Recovery and Reinvestment Act of 2009 (ARRA) • Regulations Applicable to TARP • TARP Standards for Compensation and Corporate Governance (31 CFR Part 31) • Interim Final regulation for Conflicts of Interest (31 CFR Part 31) • Legal Documents • Governing the programs and their related activities • Applicable Investment Laws and Regulations • Investment Advisers Act of 1940 • Investment Act of 1940 • Each TARP program has its own unique compliance requirements • Capital Purchase Program (“CPP”) • Automotive Industry Financing Program (“AIFP”) • Auto Supplier Support Program (“ASSP”) • Small Business Administration Loans (“SBA”) • Systemically Significant Failing Institutions (“SSFI”) • Targeted Investment Program (“TIP”) • Asset Guarantee Program (“AGP”) • Term Asset-Backed Securities Loan Facility (“TALF”) • Making Home Affordable (“MHA”) Program • Public-Private Investment Program (“PPIP”) • Report on Non Compliance • Reports to Oversight Organizations Financial Agents Compliance Anti-Fraud Group 17

14. An integrated ERM system is still a work in progress Compliance Management (SOX, IT, Regulatory) Risk Policy Internal Audit Management • Email Integration • Document Interoperability • Manage Control Hierarchy • Controls testing • Remediation • 302 Certification • Federated Compliance Reporting Risk Management Issues Management/ Remediation Dashboards & Reporting • Closed Loop Issues Management • Manage Risk/Control Matrix • Enterprise Risk Assessment • Define audit universe • Work Program Library • Electronic Workpapers • Scheduling • Remediation • Reporting • Resource Management • Other Compliance Reporting Source: MetricStream 19

15. Challenges ahead • OFS is a temporary agency within US Treasury • Most of the staff are term employees – loss of intellectual capital • Scalability of the ERM function to other components of US Treasury • Budget pressures • Convincing and educating senior management of the sustainability of ERM across the organization 13