.

Strong, effective and collaborative risk management is fundamental to our investment approach and is ingrained within our corporate culture.

Annaly Risk Management Framework

Our risk management framework is intended to facilitate a holistic, enterprise wide view of risk that supports a strong and collaborative risk management culture across the firm. We maintain a risk appetite statement that defines both the level and types of risk that we are willing to manage in order to achieve our business objectives. Our risk culture seeks to ensure that key risks are highlighted, understood and managed appropriately.

We are subject to a variety of risks due to the nature of the businesses that we operate. The objective of our risk management framework is to identify, measure and monitor these risks. Risk categories include: Capital, Liquidity & Funding, Investment & Market, Counterparty, Operational, Compliance, Regulatory & Legal and Credit. Additionally, we also consider changing adverse weather patterns and events in our analysis of risk across the portfolio.

Risk Categories

Capital, Liquidity & Funding

Risk to earnings, capital or business resulting from our inability to meet our obligations when they come due without incurring unacceptable losses because of inability to liquidate assets or obtain adequate funding.

Risk to earnings, capital or business resulting from our inability to meet our obligations when...

Investment & Market

Risk to earnings, capital or business resulting in the decline in value of our assets or an increase in the costs of financing caused by changes in market variables, such as interest rates, which affect the values of investment securities and other investment instruments.

Risk to earnings, capital or business resulting in the decline in value of our assets...

Counterparty

Risk to earnings, capital or business resulting from a counterparty’s failure to meet the terms of any contract or otherwise failure to perform as agreed. This risk is present in funding, hedging and investing activities.

Risk to earnings, capital or business resulting from a counterparty’s failure to meet the terms...

Operational

Risk to earnings, capital, reputation or business arising from inadequate or failed internal processes or systems (including business continuity planning), human factors or external events. This risk also applies to our use of proprietary and third party models, software vendors and data providers, and oversight of third-party service providers such as sub-servicers, due diligence firms etc.

Risk to earnings, capital, reputation or business arising from inadequate or failed internal processes or...

Compliance, Regulatory & Legal

Risk to earnings, capital, reputation or conduct of business arising from violations of, or nonconformance with internal and external applicable rules and regulations, losses resulting from lawsuits or adverse judgments, or from changes in the regulatory environment that may impact our business model.

Risk to earnings, capital, reputation or conduct of business arising from violations of, or nonconformance...

Credit

Risk to earnings, capital or business resulting from an obligor’s failure to meet the terms of any contract or otherwise failure to perform as agreed. This risk is present in lending and investing activities.

Risk to earnings, capital or business resulting from an obligor’s failure to meet the terms...

Risk management at Annaly begins with our Board and continues with executive oversight through the on-going formulation of risk-management practices executed through Annaly’s in-house risk personnel. The Board, at the forefront of this risk control framework, exercises its oversight of risk management primarily through the Board Risk Committee and Board Audit Committee with support from the other Board Committees.

Daily assessment and management of risk is also the responsibility of our management. A series of management committees have oversight or decision-making responsibilities for Annaly’s overall risk-management activities. Membership of these committees is reviewed regularly to ensure the appropriate personnel are engaged in the risk-management process. Three primary management committees have been established to provide a comprehensive framework for risk management: the Enterprise Risk Committee, Asset and Liability Committee and the Financial Reporting and Disclosure Committee. Each of these committees reports to our Operating Committee, which is responsible for oversight and management of our operations, including approval authority over all aspects of our enterprise risk management.

Primary Risk Management Committees

Enterprise Risk Committee (ERC)

Oversight of enterprise-wide risk
Primary risk overseen:

  • Operations
  • IT/MIS
  • Compliance
  • Cyber
  • Legal & Regulatory
  • Reputational

Responsible for monitoring and oversight of internal controls environment
Review of risks overseen by the ALCO and FRDC

Asset and Liability Committee (ALCO)

Oversight of portfolio risk, asset allocation, financing, and investment decisions across all business silos, such as Mortgage Servicing Rights and Residential Whole Loans
Risks overseen:

  • Investment
  • Market
  • Liquidity
  • Credit
  • Capital / Funding
  • Counterparty

Financial Reporting and Disclosure (FRDC)

  • Oversight of all financial disclosure matters
  • Monitoring of internal controls over financial reporting
  • Oversight of SOX program
  • Active monitoring of changes in GAAP / Tax standards and related applications

Operational Risk Management

Our Operational Risk Management practices include emergency preparedness planning and testing to maintain business continuity during events such as natural disasters and system outages. Our well-established Business Continuity Plan (“BCP”) was designed to ensure continued, effective operations through a variety of scenarios including natural disasters and pandemics. It identifies critical systems, processes, roles, and third parties, and can be adjusted on a real-time basis to address situations as they arise.

The BCP is regularly reviewed, tested, and updated. Annual testing includes extensive, remote Disaster Recovery testing and tabletop exercise scenarios with management. The BCP is part of three overlapping plans to address emergency events and ensures the firm’s crisis management planning is in place. It overlaps with the Cyber Security Incident Response Plan and the Corporate Event Protocol. Key tenets of the planning include active communication between our Crisis Response Team, made up of senior leaders across a number of functions, and our internal and external stakeholders to afford efficient, thoughtful, effective responses to evolving emergency situations.

Endnotes