Enterprise Risk Management

As an organization, we have incorporated risk management into our culture, from decisions regarding strategies and capital, to reducing risk in business processes. Risk management does not completely eliminate risk but seeks to achieve an appropriate balance between risk and return, which is critical to optimizing shareholder value. Our program provides clear ownership and accountability for managing risk, and protects the interest of our customers, team members, and shareholders.

Oversight

Risk management is embraced at the highest levels of executive management, as well as at the Board level. While all four Board committees have responsibility for certain individual aspects of risk (e.g., reputation risk, operational risk), the Risk Committee is responsible for approving and periodically reviewing our enterprise-wide risk management policies and overseeing the operation of the enterprise risk management framework and function.1

With all team members having risk as part of their job responsibilities, risk is managed throughout the organization. Every individual is responsible for identifying, understanding, and monitoring risks while adhering to appropriate risk controls that include policies, procedures, and limits.

Policy and Program

Because risk throughout our organization is so interrelated, our risk management practices and policies are managed under one Enterprise Risk Management (ERM) program. The Synovus ERM team coordinates the identification, assessment, and reporting of our risks and monitors that they are being managed appropriately. This enhances our ability to make better decisions, deliver on objectives, and improve performance.

The Synovus Enterprise Risk Policy is applicable to all areas and team members of our organization, including the holding company, the Bank, and our subsidiary companies.

The policy helps ensure we:

• design and develop a comprehensive process to identify, prioritize, assess, and manage risk exposures and opportunities;
• construct an infrastructure to support ERM and ensure that responsibilities are clearly defined and communicated at all levels;
• develop risk management information that is communicated through a clear and robust reporting structure;
• and integrate ongoing risk management activities within the business.

Business Continuity and Resilience

At Synovus we focus both on business resilience and business continuity. Business resilience reflects our efforts to make our environment as tolerant as possible and minimize the impact of adverse events. Business continuity planning is how we prepare to respond to an event when it actually happens, and the mechanics of recovering from that disaster.

We have a Business Continuity and Disaster Recovery Program in place2 which includes policies, procedures and systems designed to prevent or limit the effect of possible failures, interruptions or breaches. Our business continuity programs are designed to provide services in the case of an event resulting in material disruptions of our operating systems. We regularly seek to enhance these policies, procedures and systems, and our incident response program is tested regularly, including through independent third-party reviews and assessments.

Oversight

The Risk Committee of the Board has oversight of technology and operational risk. On the executive level there is a Business Continuity Advisory Committee which provides strategic direction and support to the program. The members include the Chief Financial Officer, the Chief Risk Officer, and the General Counsel.

We also have a Business Continuity Working Group with cross-functional representation that meets quarterly to review what is being done from a program perspective. This includes identifying improvement opportunities and assessing how changes in regulatory requirements may impact the program.

Program Overview

Each department in Synovus is responsible for preparing current and comprehensive Business Continuity Plans (BCP) and maintaining team members’ current contact information within our Emergency Notification System to ensure continuity of processes in the event of a business disruption.

There are two components to the Business Continuity and Disaster Recovery program; the business impact analysis (BIA) and the associated business continuity plan (BCP). Each of our business units go through an annual BIA to identify the most critical functions and the potential impact of a disruption. This process supports the prioritization of what processes, systems, tools and facilities are most critical to recover, how they would be recovered, and within what time frame. The BIA is facilitated by the corporate business continuity team who provides a framework and ensures process consistency and oversight. Each BIA is signed-off by the business unit leader. We track and report to executive management the number and percentage of completed BIAs.

When BCPs are completed and approved, each plan is tested using common testing methods. Testing of the BCPs is done at least annually.

Systemic Risk Management

We are required to comply with capital adequacy standards established by our primary federal regulator, the Federal Reserve, and we measure capital adequacy using the standardized approach to the Basel III Final Rule. As of December 31, 2020, our capital levels remained strong and exceeded well-capitalized requirements currently in effect. For additional information please see our latest Form 10-K and Form 10-Q filings.

Although the Economic Growth, Regulatory Relief, and Consumer Protection Act enacted in 2018 reduces certain regulatory requirements for bank holding companies such as Synovus, we continue to focus on sound risk management practices throughout the organization. These practices include sensitivity analyses such as company-run stress tests that are used to assess capital adequacy and inform strategic initiatives.

ESG Factors in Credit Risk Management

Our goal is to maintain a high-quality loan portfolio in order to safely meet the requirements of our shareholders, customers, team members, and regulators. Our loan policy sets the standards for credit guidance, underwriting and documentation. A current and effective loan policy helps our management ensure that our lending function is operating within established risk tolerances. It is revised as the bank, business conditions, or regulations require comprehensive annual review, or more frequent as needed, to ensure it doesn’t become outdated and ineffective.

In our loan policy we have the ability to prohibit or limit lending to certain entities, based upon BSA/AML or other considerations outlined in the policy.

Oversight

The Board of Directors of Synovus Bank, upon recommendation of the Risk Committee, approves the Loan Policy. Any policy recommendations are put forward by the Loan Policy Council and presented to the Synovus Credit Risk Committee (SCRC) before being recommended to the Board.

Credit Underwriting and Portfolio Management

Our Commercial and Industrial (C&I) loan portfolio represents the largest category of our total loan portfolio and is primarily comprised of general middle market and commercial banking clients across a diverse set of industries. We include a table of the composition of the C&I loan portfolio aggregated by NAICS code in our Form 10-K and Form 10-Q filings.

In accordance with our lending policy, each loan undergoes a detailed underwriting process which incorporates uniform underwriting standards and oversight in proportion to the size and complexity of the lending relationship.

In our credit underwriting process, we consider various company-specific factors and also information about the industry in which the borrower operates, including data, outlook, and trends.

Social Factors in Underwriting

Our goal is to continue to be a leader in corporate citizenship, recognizing that the business decisions made by our company and our customers can have potential adverse impacts on communities.

The Socially Sensitive Industry Assessment Program (SSIAP) was created to ensure that we properly consider socially sensitive issues through a variety of lenses to effectively determine a stance on the desirability of banking a particular industry or business within an industry. The SSIAP includes a framework for understanding, assessing, and considering the risks of banking various industries or businesses by establishing a risk assessment/due diligence process. The assessment takes into consideration the potential strategic, reputational, credit, legal, compliance and financial risks of providing banking services to these companies.

A Socially Sensitive Industry is defined as an industry that has the potential to have a polarizing impact on specific groups of people or society in general, very often triggered by an event, significant negative media coverage and/or political positioning.

The Executive Management Committee (EMC) oversees the program including due diligence, implementation and ongoing monitoring with reporting to the Risk Committee of the Board.

Risk identification and assessment questions are posed to representatives from a cross-functional group, with questions being specific to the area of risk for which they are responding. After answering the questions, each representative assigns a level of risk for banking with that particular industry and/or business, based on our risk impact scale. Dependent on the level of risk we may choose to limit our exposure to the industry in question.

Environmental Program

Appropriate environmental due diligence helps to prevent loan losses attributable to diminished collateral value and impairment of borrower’s cashflow due to environmental costs.

Our Environmental Policy provides specific policies and procedures, which must be followed during loan processing, to protect us from losses due to environmental impairment of collateral properties and impairment of business income for clients that might lead to loan default.

The policy has been developed with the assistance of an environmental, health and safety consulting firm engaged to act as the administrator of our overall Environmental Program.

We have a decision process for environmental due diligence including an environmental questionnaire. The due diligence includes database searches, desktop reviews, file reviews, and environmental site assessments, investigating past and current uses of the subject property to identify potential environmental concerns.

The process for due diligence applies to all loans secured with real property.