JPMC Three Lines of Defense

 The lines of business (LOBs) own management of risks and compliance with applicable laws/rules/regulations and policies/frameworks1
 Independent Functions (Risk, Compliance, Audit) provide oversight, guidance and effective challenge
 Other functions2 contribute to the firmwide control environment, including Finance; Human Resources; Legal; Corporate Oversight &
Control; and Enterprise Technology

Lines of Business3 Independent Risk Management4

Internal Audit
(Front Line Units) (Risk Management and Compliance)

 Set and oversee the various standards for the

Own the Risk and Design/Execute firmwide risk management framework (which
Controls may include policy, identification, measurement,
 Compliance with applicable laws/rules assessment, testing, limit setting, monitoring and
and regulations reporting, governance structure, and/or appetite)
 Adherence to policies/frameworks from Perform Independent
across risk disciplines5
Independent Risk Management and Testing and Evaluation of
 Independent challenge
other control functions Firmwide Processes and
 Identification and assessment of risks Controls
and design and execution of approach
Risk Management
to mitigation, if appropriate  Provide objective assurance
Develop and Monitor Execution of the Risk
 Issue identification, remediation and guided by a philosophy of
Governance Framework
action plan management adding value to improve the
 Oversight of each risk discipline (excluding
 Quality and accuracy of data/reporting Compliance) consistent with policies and operations of the organization
frameworks  Assist the organization in
Oversight & Control facilitates key LOB  Develop the Risk Appetite framework accomplishing its objectives by
control activities including:  Define limits or risk tolerances across risks, bringing a systematic and
 Business Control Committees where applicable disciplined approach to
 Risk and Control Self Assessment  Develop capital and stress models, where
Program (RCSA) evaluate and improve the
applicable effectiveness of the
 Operational loss monitoring, root cause  Facilitate and monitor risk management practices
analysis and reporting organization’s governance, risk
 Major control programs (e.g., New management, and internal
Business Initiative Approval, Third Party
Compliance control processes
Oversight, Office of Legal Obligations) Oversee Compliance Risk through Execution
 Drive Culture and Conduct initiatives for of Global Compliance Program
the front line  Identify, analyze, measure and report on
 Other (e.g., Keys) compliance risks
 Issue policies to support compliance with
regulatory and corporate requirements
 Perform risked-based independent monitoring
and testing of legal obligations and evaluate
compliance control processes
 Promote awareness of applicable regulatory
obligations and oversee Compliance Training
Program
 Manage exams and other regulatory interactions
1) Framework is defined as policies, governance structure and appetite
2) Covering certain other risk categories e.g. Capital Risk, Legal Risk, Tax Risk, Cyber Risk and Technology Risk
3) Inclusive of LOB aligned Operations, Technology and Oversight & Control. Most of these groups also matrix report into the respective corporate group (i.e., Oversight & Control and Technology)
4) The entire firm (ex-Internal Audit) is subject to Independent Risk Management’s risk and control framework; specifically units are subject to Operational Risk Governance, Reputation Risk Governance, Model Risk Governance, and Compliance Risk
Governance
5) Risk disciplines are Country, Credit, Liquidity, Market (including Structural interest rate), Model, Operational, Principal, Reputation, Compliance and Conduct (overseen by Compliance). Various of these risk disciplines overlap.