Board committees is engaged in overseeing the Company’s risks as they relate to that committee’s areas of oversight, and has the responsibility for ensuring that overall risk awareness and risk management is appropriate. For example, the Compensation Committee performs periodic risk assessments to review and evaluate compensation program-related risks. The Board also specifically delegates certain risk oversight functions to the Audit and Enterprise Risk Committees.
•
The Audit Committee is responsible for monitoring business risk practices, as well as legal and ethical programs, which helps the Board fulfill its risk oversight responsibilities relating to the Company’s financial statements, financial reporting process, and regulatory requirements. The Audit Committee also oversees the internal audit function.
•
The Enterprise Risk Committee oversees the design and implementation of our enterprise risk management program. Our Enterprise Risk Committee’s primary purposes are to (i) monitor and review our enterprise risk management framework and risk appetite for credit, market, liquidity, operational, information technology and information security, compliance and legal, strategic, and reputation risks, and (ii) monitor and review the adequacy of our enterprise risk management functions.
As a general matter, except for cases where a particular committee may choose to meet in executive session, all Board members are invited (but not required) to attend the regular meetings of all Board committees. We believe that this transparent and collaborative structure provides for a more informed Board, and helps the Board understand and monitor internal and external risks.
Risk Appetite Statement
The Board oversees, and approves on at least an annual basis, the Company’s Risk Appetite Statement, which sets forth qualitative and quantitative tolerance levels with respect to the amount and types of key risks underlying the Company’s business. Key risk indicator limits and thresholds are measured and reported quarterly to the Board on the Company’s risk dashboard. Suggested changes to the Company’s Risk Appetite Statement or related risk indicator limits and thresholds received from management are reviewed and challenged by the second line of defense, principally Enterprise Risk Management, after which changes are reviewed, challenged, and ultimately approved by the Enterprise Risk Committee of the Board. The Enterprise Risk Committee is responsible for overseeing the Company’s compliance with the Risk Appetite Statement. Our other Board committees also share responsibility for the Risk Appetite Statement by overseeing and approving applicable risk metrics that are contained in significant enterprise-wide policies, for example, concentration limits in the Credit Policy.
Risk & Controls
With oversight from our Board and its committees, we are focused on, and continually invest in, our risk management and control environment. Our business teams, supported by our risk, compliance, legal, finance, and internal audit functions, work together to identify and manage risks applicable to our business, as well as to enhance our control environment. Particular areas of focus include, among other things, financial reporting, credit, concentrations, fraud, data management, privacy, bank regulatory requirements, and as further discussed below, cybersecurity.
We have adopted a three lines of defense model to control risk-taking. Our first line of defense, our business lines and support functions, identifies, assesses, monitors, and manages risk in these areas in accordance with established policies and procedures. Our second line of defense, independent risk management, including enterprise risk management, information security, compliance, and Bank Secrecy Act/ AML functions, coordinates and oversees the implementation of the enterprise risk management framework, including monitoring the risk management activities of the first line of defense, and provides effective challenge to management’s decisions. Our third line of defense, Internal Audit, provides independent assurance to the Audit Committee of the Board on the design and effectiveness of our internal controls.
Cybersecurity
Information Security Program and Standards
Under the leadership of our Chief Information Security Officer (CISO), we have developed and implemented a risk-based information security program.
Our information security and privacy programs are aligned with the National Institute of Standards and Technology (NIST) Cyber Security Framework. This framework enables monitoring and evaluation of cybersecurity risk by organizing information, enabling risk management decisions, and addressing emerging threats. The Information Security Program and all applicable policies, processes, and technologies apply to all of our operations and all of our employees.
During 2022, we did not experience a material compromise to any of our data systems, platforms, or infrastructure and did not incur any expenses resulting from information security breaches, penalties, or settlements. Should an information security incident occur, we have resources outlined in our Incident Response Plan to assist with forensic analysis, response strategies, and crisis communications.
Cybersecurity Strategy
•
Board Oversight and Risk Management. The Board of Directors and Enterprise Risk Committee oversee our information security program, including risks related to information security and cybersecurity. The Board of Directors establishes the information security risk appetite, as set forth in the Bank’s Risk Appetite Statement, and approves the information security program. Cybersecurity and data privacy risks are integrated into our enterprise risk management process, in which key risks are evaluated by the Enterprise Risk Committee at least quarterly and then reviewed by the full Board. Our CISO regularly presents updates on the information security program to the full Board of Directors.
•
Threat Intelligence Technology. Our vulnerability management and threat intelligence program assesses the threat and vulnerability landscape, leveraging industry-leading tools and intelligence to detect, evaluate, prioritize and track threats and vulnerabilities through mitigation and/or remediation. The program includes regularly scheduled internal and external risk-based scanning.