Morgan Stanley

Operations and Technology Committee Charter

As of October 15, 2021

Purpose

The Committee is appointed by the Board of Directors to assist the Board in its oversight of (i) the Company’s operations and technology strategy and significant investments in support of such strategy and (ii) operations, technology and operational risk, including information security, fraud, vendor, data protection and privacy, business continuity and resilience and cybersecurity risks.

Membership

  1. The Committee shall be comprised of at least three Board members appointed by the Board after considering the recommendation of the Nominating and Governance Committee. Committee members shall serve at the pleasure of the Board and for such term as the Board determines. The Board shall designate one Committee member as the Committee’s chair (the “Chair”).

Operations

  1. The Committee shall hold regular meetings at least four times per year and report to the Board on a regular basis.  Meetings shall include any participants the Committee deems appropriate and shall be of sufficient duration and scheduled at such times as the Committee deems appropriate to discharge properly its responsibilities.  The Chief Operating Officer, Head of Technology, Operations and Firm Resilience (“TOFR”), the Chief Risk Officer and the Chief Audit Officer shall generally attend regularly scheduled quarterly meetings of the Committee.

  2. The Committee shall meet, as deemed necessary and appropriate, in separate executive sessions with management, including the Head of TOFR and the Chief Risk Officer.

  3. The Committee shall receive information and participate in informal meetings and briefings with management, including the Head of TOFR and Chief Risk Officer, as necessary and appropriate between formal meetings of the Committee.  Such briefings and informal meetings may be through the Chair or individual Committee members, as appropriate.

  4. The Committee may form and delegate to one or more subcommittees all or any portion of the Committee’s authority, duties and responsibilities, and may establish such rules as it determines necessary or appropriate to conduct the Committee’s business.

  5. The Committee shall have direct access to, and complete and open communication with, the Company’s management, including the Head of TOFR and Chief Risk Officer, and may obtain advice and assistance from internal legal or other advisors to assist it. The Committee may also retain legal or other advisors.

  6. The Company shall provide for appropriate funding, as determined by the Committee, for the payment of (i) ordinary administrative expenses of the Committee that are necessary or appropriate in carrying out its duties and responsibilities and (ii) compensation to legal and other advisors retained by the Committee.

  7. The Committee shall review and assess its performance annually and report the results to the Board.

  8. The Committee shall review and assess the adequacy of this charter annually and, if appropriate, recommend changes to the charter to the Board.

Authority, Duties and Responsibilities

The Committee shall: 

Oversight of Operations and Technology

  1. Receive reports, as necessary and appropriate, from management on operations and technology strategy and trends that may affect the Company’s strategy, including monitoring of current and evolving industry trends, and the Company’s significant operations and technology investments.

  2. Receive reports, at least quarterly, from management on operations and technology metrics.

  3. Review the Company’s operations and technology strategy and associated budget and expenditures for the Company and its business segments.

  4. Review and, as appropriate, make recommendations to the Board regarding the Company’s significant technology investments in support of its technology strategy.

  5. Review and approve, as necessary and appropriate, the Company’s significant operations and technology policies.

  6. Receive reports, as necessary and appropriate, from the Chief Audit Officer regarding the results of reviews and assessments of the Company’s Operations and Technology functions.

Oversight of Risk Management

  1. Review at least quarterly the major operations, and technology and operational risk exposures of the Company and its business units, including information security, fraud, vendor, data protection and privacy, business continuity and resilience, and cybersecurity risks (including review of cybersecurity risks against established risk management methodologies) and the steps management has taken to monitor and control such exposures.

  2. Receive reports, as necessary and appropriate, from management, including the Chief Risk Officer, on the Company’s risk management and risk assessment guidelines and policies regarding operations, technology and operational risk. 

  3. Receive, as necessary and appropriate, reports and recommendations from management and the Company’s internal Firm Risk Committee on operational risk tolerance.

  4. Oversee the Company’s process and significant policies for determining operational risk tolerance and review management’s measurement and comparison of overall operational risk tolerance to established limits.

  5. As appropriate, confirm operational risk tolerance levels as set forth in the Company’s Risk Appetite Statement.

  6. Receive reports from management regarding the Company’s business continuity planning and resilience

Oversight of Regulatory Requirements

  1. Review significant risk management regulatory reports and findings of regulators, as applicable to the mandate of the Committee, including management’s remediation plans and progress against such plans.

Coordination with Management and Other Board Committees

  1. Coordinate with management, including the Chief Risk Officer, and with the Audit Committee and the Risk Committee (which coordination may be through the Committees’ Chairs) to help ensure that the committees have received the information necessary to permit them to fulfill their duties and responsibilities with respect to oversight of risk management and risk assessment guidelines and policies.

Other Authority

  1. Make such recommendations with respect to any of the above and any other matters as the Committee deems necessary or appropriate.

  2. Have such other authority, duties or responsibilities as may be delegated to the Committee by the Board.