Balance Between Audit/Compliance and Risk Management – Best Practices FIRMA - 21 st National Training Conference David Bilko Chief Audit Executive SunTrust Bank April 19, 2007

1 Background SunTrust Banks, Inc., with assets of $182 billion, operates 1700 branches in the southeastern US. Operating model emphasizes local geographic management empowerment combined with the economies of scale and product development advantages that come from being one of the nation’s largest banking organizations. Geographic focus is complemented by 5 major lines of business: Retail, Commercial, Corporate and Investment Banking, Mortgage, and Wealth and Investment Management Wealth Management provides fiduciary, brokerage and investment management to institutions and individuals. –Total assets under advisement $246 billion –Trust Assets $207 billion –Retail Brokerage $39 billion

2 SunTrust Structure – Audit, Legal, Compliance, and Risk Audit Services  Functionally – Audit Committee  Administratively – Chief Administrative Officer Wealth & Investment Management Audit team Legal  General Counsel - CEO Fiduciary & ERISA Attorneys Corporate Compliance  Chief Compliance Officer – General Counsel Compliance Functions – RIA and Broker/Dealer Enterprise Risk Management  Chief Risk Officer - CEO  LOB/Function Risk Managers Solid line to LOB or Function Dotted Line ERM

3 Group Roles Audit Services - Provide independent assurance on the design and operating effectiveness of controls across the enterprise Legal – In a cost effective manner: Provide legal advice, manage litigation, coordinate use of outside counsel, monitor all legal expenses, assist with legal risk analysis and risk mitigation, and provide Corporate Secretary functions Corporate Compliance – perform reviews of controls designed to mitigate compliance risk, assess and monitor compliance risk across the enterprise, perform ongoing oversight and surveillance of compliance risk Enterprise Risk Management – includes SOX PMO, Model Validation Group, Basel II Readiness, Operational Risk – RCSA’s LOB/Function Risk Managers – risk and control advisors on all types of risk including compliance, credit, operating, etc. Develops policies and procedures, performs risk assessments and documents risk profiles

4 Challenge - Achieving Structural Balance Where we were:  Decentralized Silo Driven  Lots of requests for same information from different sources  Lack of agreement on levels of risk and controls  Gaps in coverage  Limited collaboration and sharing of information  Ownership issues Where we are going:  Harmonized, rational view of all risks and controls across the Enterprise (LOB)?  Make risk assessment and mitigation an effective process and efficiencies will follow, including better economics  Line will retain responsibility for risks and controls

5 Challenge – Achieving Structural Balance Roadmap:  Identify Board Level Responsibilities  Risk Management, Compliance and Audit are working together to identify proper stakeholders in the LOB’s, the risks, domains, controls, data sources, and testing ownership (who is doing the checking)  Leveraging each other’s platforms  Prioritizing opportunities  Creating an operating model that will resolve gaps and overlaps  Concept that clarifies roles, responsibilities, and scope  Improved Issue Management Form will follow function End State is a rational, economical, agile enterprise approach to risk management and control testing