Balance Between Audit/Compliance and Risk Management- Best

Practices

FIRMA 21st National Training Conference

Julia Fredricks, U.S. Chief Compliance OfficerHarris Financial Corp

April 19, 2007

2

Background

Harris Financial Corp is owned by BMO Financial Group, based in Toronto. BMO Financial Group provides a broad and comprehensive range of retail banking, wealth management and investment banking products and solutions. Our financial services professionals provide access to services our customers require across our enterprise. We serve our clients through three operating groups: Personal and Commercial Banking, Private Client Group and Investment Banking Group.

Harris’ goal is to be the leading personal and commercial bank in the U.S. Midwest. Our community banking strategy leverages strong local leaders focused on exceptional customer service, offering a broad range of products and services through an expanding distribution network. This approach underlies our successful growth in the highly competitive and fragmented Chicago market and provides us with a strategic advantage when entering new markets. Strategies include: Provide a best-in-class customer experience by emphasizing a strong

performance culture and putting our best people in key positions with clear accountabilities.

Align our retail, business and wealth management offerings to meet all of our clients’ needs.

Expand our distribution network through a combination of acquisitions and new branches.

3

BMO/Harris Structure – Legal, Audit, Compliance, and Risk

BMO CEO

BMO Chief Administrative and Financial Officer BMO Chief Auditor

BMO Chief Risk Officer

Harris Chief Auditor

BMO General Counsel

Harris Chief Risk Officer

Harris General CounselBMO Chief Compliance Officer

Harris Chief Compliance Officer

Risk, Legal, and Compliance all report through the same executive chain of command. Audit is independent. This consistency allows for ease of communication, and consistent message in how we work with the Lines of Business (“LOBs”)

Disciplines are aligned enterprise-wide The U.S. heads of each discipline report independently to Harris Board or Committees of

the Board

4

Group Mandates

Compliance Mandate: U.S. Corporate Compliance is responsible for the monitoring and oversight of regulatory risk within the U.S. Compliance performs independent reviews of controls in place to manage regulatory risk.

Audit Mandate: Corporate Audit Division provides an independent assessment as to the effectiveness of internal control within the Enterprise. Audit performs independent reviews of controls in place to manage all risk types.

Risk Management Mandate: Risk Management ensures the organization’s credit, market, liquidity/funding, fiduciary and operational risks are understood, quantified, documented, mitigated where appropriate, aggregated where necessary and constrained in keeping Corporate Policy. Risk management facilitates risk and control self assessment (“RCSA”) sessions with the lines of business.

Legal Department Mandate: Law Department is responsible for management of legal services enterprise-wide across the Enterprise, including (without limitation) the management of litigation matters and external legal counsel management, and providing advice and recommendations to LOBs and other internal groups on their legal (including fiduciary) risks and mitigating their legal (including fiduciary) risk exposure. Fiduciary Risk is a subset of Legal Risk. Legal oversees the resolution of compliance and litigation matters that may result in legal or regulatory sanctions.

5

Is Structure Effective? How to maximize information sharing Legal, Audit, Compliance, and Risk Management meet on a frequent basis

All new products and revised policies are reviewed by Legal, Audit, Compliance, and Risk

Audit reviews the work performed by Compliance prior to performing a review and adjusts their scope based upon work done by Compliance. To be able to rely on their work, Audit performs a full audit of Compliance every 12 months

Audit and Compliance obtain most current RCSA as part of planning process for reviews

Audit is copied on all Compliance reports, and Compliance is copied on all Audit reports – these reports are used in planning process

Legal, Audit, and Compliance are invited to all independently facilitated RCSA sessions that are managed by Risk

Compliance meets with Legal before reviews. Legal is copied on all Compliance reports

Reports to Audit Committee are coordinated to reduce duplication – Legal and Audit review Compliance Report. One report is produced for Communications with Regulators that includes input from all three areas.

Compliance developed a “universe” document detailing all business units and the regulations applicable to those units. Compliance worked with Legal, Audit, and Risk to review the document in detail, and obtained their concurrence on its completeness. Each group reconciled “universe” to their population document.

6

Is Structure Effective? What to watch out for

Areas that are heavily regulated result in more overlap. Areas such as trust, broker-dealer, and registered investment advisors. We work closely to reduce overlap, but some naturally exists.

Challenge exists in managing the need and desire of primary banking regulator to have an “enterprise-wide” view of compliance risk management, with the separately regulated subsidiary’s primary regulator’s need and desire to have the compliance staff an embedded part of their entity. We manage this through dual reporting structures, which adds complexity.

Legal, Audit, Compliance, and Risk are all “independent” of the line of business, so who works with the LOB to implement corrective action? Need to have the ability to cross that line or LOB ends up having issues that they cannot address.

Issues that are reported to executive management and the Board – need to be careful that as issue is presented by various areas giving their point of view or “spin”, there is consistency in how the issue is portrayed, and that the facts are accurate. Risk having item reported several times and more risky is that item is reported differently based upon who is making the report.

Risk that one area assumes another area is covering something when in fact they aren’t – risk of “white space”. For example, Audit assumed Compliance was doing something or Risk was covering it, when Risk and Compliance thought Audit was covering it.

7

Is Structure Effective? Key to Success

COMMUNICATE

COMMUNICATE

COMMUNICATE