Risk Identification, Assessment, and Reporting

TD applies the following principles to how it manages risks:

• Enterprise-wide in scope. Risk management spans all areas of TD, including third-party alliances and joint venture undertakings and all boundaries, both geographic and regulatory.

• Transparent and effective communication. Matters relating to risk are communicated and escalated in a timely, accurate, and forthright manner.

• Enhanced accountability. Risks are explicitly owned, understood, and actively managed by business management and all employees, individually and collectively.

• Independent oversight. Risk policies, monitoring, and reporting will be established independently and objectively.

• Integrated risk and control culture. Risk management discipline is integrated into TD's daily routines, decision making, and strategy.

• Strategic balance. Risks are managed to an acceptable level of exposure, recognizing the need to protect and grow shareholder value.

Risk identification and assessment are focused on recognizing and understanding existing risks, risks that may arise from new or evolving business initiatives, and emerging risks from the changing environment. TD looks to establish and maintain integrated risk identification and assessment processes that enhance the understanding of risk interdependencies, consider how risk types interact, and support the identification of emerging risks.

Depending on the risk type, the risk identification and assessment process may be developed and/or controlled by the business segment with oversight provided by Risk Management, or it may be controlled by a function within Risk Management. For example, credit risk assessment processes developed by a business segment exist for both retail and nonretail clients. The nature of those processes may vary by and/or within a business segment depending on the specific nature of the risk. Risk Management's role in these processes is to provide oversight and challenge to ensure that the analysis and results produced by the process focus on the relevant issues.

Other risk assessment identification and assessment processes that can and/or need to be applied on a consistent basis across TD have been developed by Risk Management at the enterprise level. Examples of such processes would include the Risk and Control Self-Assessment (RCSA) report, the Emerging Risk Identification process, scenario analysis and stress testing, and the Internal Capital Adequacy Assessment Process (ICAAP).