2006 General Meeting Assemblée générale 2006 Chicago, Illinois 2006 General Meeting Assemblée générale 2006 Chicago, Illinois Canadian Institute of Actuaries Canadian Institute of Actuaries L’Institut canadien des actuaires L’Institut canadien des actuaires

2006 General Meeting Assemblée générale General Meeting Assemblée générale 2006 Contents Introduction to CIBC Operational Risk Definition Rationale for Measuring Operational Risk Implementing an Operational Risk Program Measuring Operational Risk Future Developments / Enhancements

2006 General Meeting Assemblée générale General Meeting Assemblée générale 2006 Introduction to CIBC The Canadian Imperial Bank of Commerce (CIBC) is a leading North American financial institution with (at year end 2005): 11 million individual and small business clients; $12.5 billion in revenues; $280.4 billion of total assets; $24.1 billion market capitalization; and 37,000 employees worldwide

2006 General Meeting Assemblée générale General Meeting Assemblée générale 2006 Operational Risk Definition Operational risk is defined as: “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events” At CIBC Operational Risk is classified using the following seven loss types: Client Disservice; Legal Liability – Employees; Legal Liability – Clients and/or Third Parties; Loss or Damage to Assets; Regulatory, Compliance and Taxation Violations; Theft, Fraud, Unauthorized Activities; and Transaction Processing

2006 General Meeting Assemblée générale General Meeting Assemblée générale 2006 Rationale for Measuring OpRisk 1. Because it Benefits the Bank – Better understanding of our risks allows us to: Mitigate risks by changing controls, and/ or avoiding certain exposures; Price our risks into our products and services; and Transfer (i.e. insure) our risks to third parties Ensures we have a more complete capital capture for performance measurement. The economic capital for each business line is made up of credit, market, and operational risk capital. Some business have little or no credit/market risk but a substantial amount of OpRisk (e.g. fee based businesses) 2. Because it is a regulatory requirement under the new Basel Accord “You can’t manage what you can’t measure”

2006 General Meeting Assemblée générale General Meeting Assemblée générale 2006 Basel II & Regulatory Requirements In June 2004, regulators from the G-10 countries approved the Basel II Capital Accord, which will require, for the first time, banks to set aside regulatory capital for operational risks Basel II provides three methods for the calculation of operational risk capital: (i) the Basic Indicator Approach; (ii) the Standardized Approach; or (iii) the Advanced Measurement Approach (AMA) The Basic Indicator & Standardized Approaches are based upon simple multipliers of gross revenue, differing only by their organizational level of calibration (e.g. capital is 15% of the avg. annual gross revenue from the previous 3 yrs) The Advanced Measurement Approach (AMA) determines capital based on a bank’s internal operational risk measurement system

2006 General Meeting Assemblée générale General Meeting Assemblée générale 2006 CIBC’s OpRisk Program Background OpRisk program has evolved over time to become compliant with the AMA requirements CIBC initially assessed operational risk capital in 1999 using an “AMA-like” approach; The approach was updated in 2002 to better align with the available guidance related to Basel II; Following the release of the new Basel Accord in June 2004; CIBC completed a gap analysis and identified eight projects that would enable the Bank to meet the new AMA requirements; and With the completion of all of the principal objectives for each of the eight projects in 2005, CIBC formally applied to OSFI for AMA for operational risk on February 1, 2006

2006 General Meeting Assemblée générale General Meeting Assemblée générale 2006 CIBC’s OpRisk Program Framework: The Framework is aligned with the new Capital Accord and allows the Bank to: Identify Operational Risks; then Measure the risks identified; and Monitor/Report on the risks that have been measured Policy and Methodology: CIBC has a documented and approved Policy and Methodology which specifies how OpRisk is measured and outlines the roles and responsibilities of the various groups involved Supporting Technology: CIBC has invested in a technology solution which serves as a central repository for thousands of records used in the calculation of operational risk

2006 General Meeting Assemblée générale General Meeting Assemblée générale 2006 Risk Identification Process Risk Identification is the first step in attributing Operational Risk capital The Operational Risk Department works with business management to complete a Risk Identification The Risk Identification process summarizes which loss types are applicable to a given business activity As the business evolves and changes over time, the New Initiative Approval Process (NIAP) and the Risk and Control Self Assessment Processes (RSA & CSA) ensures that any relevant and material changes are communicated and incorporated into a revised Risk Identification for the given business.

2006 General Meeting Assemblée générale General Meeting Assemblée générale 2006 Operational Risk Measurement OpRisk capital is comprised of two components: (1) Baseline Capital Determined using a Loss Distribution Approach The inputs to the Baseline Capital are either; [1] Actual internal loss experience where there is a sufficient loss history available to perform statistical analysis; or [2] Loss scenarios, which are based on available internal/external loss data and management judgment (2) Qualitative Adjustments Qualitative Adjustments (QAs) are added in order to make timely adjustments for internal control issues and risks that were not included in the original operational risk profile Derived from the quarterly Risk and Control Self Assessment Processes (RSA & CSA) and add approximately 10% to 20% to baseline capital

2006 General Meeting Assemblée générale General Meeting Assemblée générale 2006 Operational Risk Monitoring Risk monitoring ensures that the capital remains current and that management is apprised of changes in the level of risk Risk monitoring involves the regular monthly reporting of operational risk capital to the business lines and to the Economic Capital group for performance measurement and the quarterly reporting of risk capital to senior management (Governance and Control Committee) and to the Board The underlying process for supporting and monitoring operational risk include: 1. the monthly tracking of actual operational losses; 2. the monthly review of the Key Risk Indicators (KRIs); 3. the quarterly Risk and Control Self Assessment Process (RSA & CSA); and 4. the quarterly capital update process

2006 General Meeting Assemblée générale General Meeting Assemblée générale 2006 OpRisk Supporting Technology The AMA Program requires processing thousands of records information and to maximize efficiency a technology solution has been developed At the core of CIBC’s operational risk AMA compliance efforts is the “Sub-ledger” system The “Sub-ledger” system is a central repository which houses all of the operational risk data (e.g., losses, issues, etc.) feeds; performs the capital calculations and provides management reporting

2006 General Meeting Assemblée générale General Meeting Assemblée générale 2006 Risk Measurement Operational risk capital is comprised of two main components: 1. Baseline (internal loss data or scenarios) – Expected loss = frequency X severity – Baseline capital = Worst Case Loss – depends on the expected loss, distributional assumptions, and the confidence interval 2. Qualitative Adjustments (RSA/CSA output) – Covers risks and key control deficiencies

2006 General Meeting Assemblée générale General Meeting Assemblée générale 2006 Baseline Capital Quantification High Freq / Low Severity High frequency loss data for a given regulatory business line and loss type are fitted to a loss distribution and the Worst Case Capital calculated at a 99.9% Confidence Interval Low Freq / High Severity Low frequency events are defined through loss scenarios. The OpRisk group works with mgmt to determine a frequency and severity for each applicable loss type / business line. Internal and External loss data are used along with professional judgments to define the input parameters to the frequency and severity distributions. The resultant loss distribution is determined by running simulations ExpectedWorst Case Loss Distribution Severity Frequency Loss Distribution ExpectedWorst Case

2006 General Meeting Assemblée générale General Meeting Assemblée générale 2006 Qualitative Adjustments Qualitative Adjustments (QAs) ensure capital reflects the current internal control and risk environment In order to incorporate the latest information in regards to internal control issues arising from people, process and systems that were not addressed by baseline capital The adjustments are identified through the Risk and Control Self Assessment (RSA/CSA) process may have either a positive or negative impact on risk capital At CIBC this process is managed via a partnership of the OpRisk & Controls Group; and includes participation by the other governance groups (i.e. Audit, Legal & Compliance) The QAs adds 10% to 20% to baseline capital and provide a degree of conservatism. Also serves as both a penalty & an incentive for improvement of the risk/control environment

2006 General Meeting Assemblée générale General Meeting Assemblée générale 2006 Future Developments / Enhancements Reporting of Operational Risk Capital to OSFI as part of the parallel run through F2007 Ongoing enhancements of the methodology Continue to independently benchmark and validate the AMA Methodology