TABLE OF CONTENTS
Board Risk Oversight
Our Board’s Role in Risk Oversight
Our Board believes that understanding, identifying, and managing risk areis essential to our Company’s success. Our entire Board is responsible for overseeing the Company’s risk management processes and regularly discusses the Company’s risk profile and how best to manage the Company’s most significant risks the Company faces.risks. Each of the
Board committees is engaged in overseeing the Company’s risks as they relate to that committee’s respective areas of oversight, and has the responsibility for ensuring that overall risk awareness and risk management is appropriate. For example, the Compensation Committee engages inperforms periodic risk assessments to review and evaluate risks in relation to our compensation programs.program-related risks. The Board also specifically delegates certain risk oversight functions to the Audit and Enterprise Risk Committees.
•
The Audit Committeeis responsible for monitoring business risk practices, andas well as legal and ethical programs, which helps the Board fulfill its risk oversight responsibilities relating to the Company’s financial statements, financial reporting process, and regulatory requirements. The Audit Committee also oversees the internal audit function.
•
The Enterprise Risk Committeeoversees the design and implementation of our enterprise risk management program. Our Enterprise Risk Committee’s primary purposes are to (i) monitor and review our enterprise risk management framework and risk appetite for credit, market, liquidity, operational, information technology and information security, compliance and legal, strategic, and reputation risks, and (ii) monitor and review the adequacy of our enterprise risk management functions.
As a general matter, except for cases where a particular committee may choose to meet in executive session, all Board members are invited (but not required) to attend the regular meetings of all Board committees. We believe that this transparent and collaborative structure provides for a more informed Board, overall, and helps the Board understand and monitor internal and external risks.
Risk Appetite Statement
The Board oversees, and approves on at least an annual basis, the Company’s Risk Appetite Statement, which sets forth qualitative and quantitative tolerance levels with respect to the amount and types of key risks underlying the Company’s business. These keyKey risk indicator limits and thresholds are measured and reported quarterly to the Board onBoard. Suggested changes to the Company'sCompany’s Risk Appetite Statement or related risk dashboard.indicator limits and thresholds received from management are reviewed and challenged by the second line of defense, principally Enterprise Risk Management, after which changes are reviewed, challenged, and ultimately approved by the Enterprise Risk Committee of the Board. The Enterprise Risk Committee is responsible for recommending changes to the Risk Appetite Statement for approval by the Board, as well as overseeing the Company’s compliance with the statement.Risk Appetite Statement. Our other Board committees alsoand the full Board share responsibility for the Risk Appetite Statement by overseeing and approving applicable risk metrics including riskthat are contained in significant enterprise-wide policies, for example, concentration limits and thresholds, for each of their relevant areas of responsibility.in the Credit Policy.
Risk & Controls
With oversight from our Board and its committees, we are focused on, and continually invest in, our risk management and control environment. Our business teams, supported by our risk, compliance, legal, finance, and internal audit functions, work together to identify and manage risks applicable to our business, as well as to enhance our control environment. Particular areas of focus include, among other areas,things, financial reporting, credit, concentrations, fraud, data management, privacy, bank regulatory requirements, and as further discussed below, cybersecurity.
We have adopted a three lines of defense model to control risk-taking. Our first line of defense, our business lines and support functions, identifies, assesses, monitors, and manages risk in these areas in accordance with established policies and procedures. Our second line of defense, independent risk management, including enterprise risk management, information security, internal loan review, compliance, and complianceBank Secrecy Act/ AML functions, coordinates and oversees the implementation of the enterprise risk management framework, including monitoring the risk management activities of the first line of defense, and provides effective challenge to management’s decisions. Our third line of defense, Internal Audit, provides independent assurance to the Audit Committee of the Board on the design and effectiveness of our internal controls.
Cybersecurity
Information security is essential to our mission and our institutional strategic goal. Under the leadership of our Chief Information Security Officer (CISO), we have developed and implemented a comprehensive risk-based information security program that meets regulatory requirements and encompasses a cybersecurity program that is based upon the Cybersecurity Assessment Tool (CAT) developed by the Federal Financial Institutions Examination Council (FFIEC), as well as the National Institute of Standards and Technology (NIST) Cybersecurity Framework. This framework enables identification and evaluation of cybersecurity risks, enabling risk management decisions, and responding to emerging threats. The Information Security Program and all applicable cybersecurity policies, processes, and controls apply to all of our operations and all of our employees.
As part of our cybersecurity risk management strategy, we employ an in-depth, layered, and defensive approach that leverages people, processes, and technology to manage and maintain cybersecurity controls. As such, our cybersecurity risk management program includes, but is not limited to: regular (at least annual) employee cybersecurity training and communications; the use of preventative, detective, alerting, and defensive in-depth technologies; internal and third-party program oversight; policies and procedures regularly reviewed and designed with regulatory and industry guidance; an incident response plan to respond to cybersecurity incidents; and a threat intelligence program designed to assess the latest changes to the threat landscape. In addition, cybersecurity policies, procedures and controls have been developed and implemented to protect against unauthorized access to consumer and customer information and to safeguard the information that is exchanged with third parties in accordance with applicable laws and regulations.
Cybersecurity Strategy
Integration with Overall Risk Management.Cybersecurity is a major component of our overall risk management approach. The Company’s cybersecurity risk management program is integrated into our overall enterprise risk management processes. This integration helps ensure that cybersecurity considerations are an integral part of our decision-making processes across the organization. Our risk management team works closely with our Information Security and Information Technology departments to continuously evaluate and address cybersecurity risks in alignment with our business objectives and operational needs.
We continually evaluate cybersecurity risks as part of our overall risk management strategy. Cybersecurity risks are assessed, identified, and managed through various ongoing and scheduled processes, technologies, and techniques, including, but not limited to periodic IT Risk Assessments, vulnerability scanning, penetration testing, employee cybersecurity awareness testing, and threat intelligence analysis.