The Committee is appointed by the Board of Directors to assist the Board in its oversight of (i) the Company’s operations and technology strategy and significant investments in support of such strategy and (ii) operations and technology risk.
- The Committee shall be comprised of at least three Board members appointed by the Board. Committee members shall serve at the pleasure of the Board and for such term as the Board determines. The Board shall designate one Committee member as the Committee’s chair.
The Committee shall hold regular meetings at least four times per year and report to the Board on a regular basis. Meetings shall include any participants the Committee deems appropriate and shall be of sufficient duration and scheduled at such times as the Committee deems appropriate to discharge properly its responsibilities. The head of the internal audit department (the “Global Audit Director”) shall generally attend regularly scheduled quarterly meetings of the Committee.
The Committee may meet periodically in executive sessions, including with members of management, as appropriate.
The Committee may form and delegate to one or more subcommittees all or any portion of the Committee’s authority, duties and responsibilities, and may establish such rules as it determines necessary or appropriate to conduct the Committee’s business.
The Committee shall have direct access to, and complete and open communication with, the Company’s management and may obtain advice and assistance from internal legal, accounting or other advisors to assist it. The Committee may retain independent legal, accounting or other advisors to assist it, and may determine compensation for such advisors, and the Company shall be responsible for any costs or expenses so incurred.
The Committee shall review and assess annually its performance and report the results to the Board.
The Committee shall review and assess annually the adequacy of this charter and, if appropriate, recommend changes to the charter to the Board.
Authority, Duties and Responsibilities
The Committee shall:
Oversight of Operations and Technology
Receive reports from management, as and when appropriate, on operations and technology strategy and trends that may affect the Company’s strategy, including monitoring of overall industry trends, and significant operations and technology investments.
Receive reports from management, as and when appropriate, on operations and technology metrics.
Review the Company’s operations and technology strategy and associated budget and expenditures for the Company and its business segments.
Review and, as appropriate, make recommendations to the Board regarding significant technology investments in support of the Company’s technology strategy.
Review or discuss as and when appropriate, the Company’s operations and technology policies.
Receive reports, as necessary and appropriate, from the Global Audit Director regarding the results of reviews and assessments of the Company’s operations and technology functions.
Oversight of Risk Management
Review the major operations and technology risk exposures of the Company, including information security, fraud and cybersecurity risks (including review of cybersecurity risks against established risk management methodologies) and the steps management has taken to monitor and control such exposures.
Review or discuss, as and when appropriate, with management, including the Chief Risk Officer, the Company’s risk management and risk assessment guidelines and policies regarding operations and technology risk.
Oversee the Company’s process and significant policies for determining cybersecurity risk tolerance and review management’s measurement and comparison of overall cybersecurity risk tolerance to established limits.
As appropriate, confirm cybersecurity risk tolerance levels as set forth in the Risk Appetite Statement.
Receive reports from management regarding the Company’s business continuity planning.
Coordination with Management and Other Board Committees
Coordinate with management, including the Chief Risk Officer, and with the Audit Committee and the Risk Committee (which coordination may be through the Committee Chair) to help ensure that the committees have received the information necessary to permit them to fulfill their duties and responsibilities with respect to oversight of risk management and risk assessment guidelines and policies.
Have such other authority, duties or responsibilities as may be delegated to the Committee by the Board.
Make such recommendations with respect to any of the above and any other matters as the Committee deems necessary or appropriate.