CWBFG Annual Report 2022

Key Operational Risks PEOPLE RISK

People risk means the potential for loss or harm arising from ineffective practices related to people, culture and employment. Failure to effectively manage people risk can result in operational disruptions and uncertainty, failure to meet strategic objectives, injury or harm to individuals, or damage to CWB’s brand. We intend to cont inually attract and retain qualified team members to successfully execute against our strategic priorities. We do this by proactively investing in our practices and programs to build a positive, rewarding and collaborative work environment, where teams are empowered to deliver exceptional client experiences. Human Resource guidelines and processes are in place to establish accountability in relation to people risk, to ensure team members are adequately trained to perform the tasks for which they are responsible, and to enable talent attraction, development, and retention. Our values include a people first approach to planning and execution, a focus to drive inclusion and diversity as key business advantages, and specific strategies to increase our brand awareness in the markets where we operate. We complement this with a specialized and knowledgeable approach to talent acquisition, a robust focus on employee engagement, effective communication and employee listening strategies, proactive organizational change management, a competitive total rewards offering with differentiated benefits, flexible work arrangements, comprehensive learning and development opportunities and a proactive focus on succession planning.

TECHNOLOGY AND CYBERSECURITY RISK Technology Risk

Technology risk is the risk of loss or harm related to the operational performance, confidentiality, integrity and availability of our information, systems and infrastructure. We are dependent upon technology and supporting infrastructure, such as voice, data, systems and network access. In addition to internal resources, various third parties provide key infrastructure, and application services to support our operations. Disruptions in information technology and infrastructure, whether attributed to internal or external factors, and including potential disruptions in the services provided by various third parties, could adversely affect our ability to conduct regular business and/or deliver products and services to clients. We have several projects underway focused on increasing our digital capabilities which may potentially increase risk exposure related to information systems and technology. Ongoing diligence is required to ensure systems are resilient and secure from threats. We continuously identify and assess key services to ensure potential failure points are highlighted and related risk is mitigated in the best possible way (i.e. upgrades, enhancements, new products). We rely on technology that incorporates built-in controls such as configuration management, change management, capacity management along with information security management programs. With a significant number of our team members working remotely reflecting the new hybrid work environment, our dependence on remote access to information technology and supporting infrastructure remains elevated. We regularly monitor, assess and revise our business continuity approach and response to ensure our ability to maintain critical operations through periods of business disruption. Our Information Services team has worked diligently to ensure our teams have uninterrupted remote access to required technology and infrastructure through our secure platforms. Our Information Services team also continues to partner with GRM to apply further rigour and enhanced governance of the identification and evaluation of potential risks in the technology environment. Cybersecurity Risk Cybersecurity risk is the risk of loss or harm due to compromise of our information assets (i.e. the unauthorized use, loss, damage, disclosure, or modification of company information and information systems) caused by a failure to protect our information assets. Our Cyber Risk Management standard provides a consistent enterprise-wide approach to efficiently and effectively manage cyber risk while supporting CWB to achieve our strategic objectives. We manage information security risk by ensuring appropriate technologies, processes and tools are effectively designed and implemented to help prevent, detect, and respond to threats as they emerge and evolve. We continually enhance our processes to align with the changing regulatory environment such as OSFI’s B -13 Technology and Cyber Risk Management. Our Information Security Office continues to enhance our comprehensive suite of controls to protect CWB’s operations , our customer and corporate data from attack and have partnered with leading third-party service providers to provide counsel and support should the need arise. We regularly test the completeness and effectiveness of our information and cybersecurity program through penetration testing and control evaluation exercises conducted by independent third parties, the continuous monitoring of our environment for indications of control weakness by a team of dedicated resources, and mandatory training sessions for all team members. As we continue to enhance our digital capabilities, a focus to advance our cybersecurity enables our growth trajectory. By implementing and benchmarking the effectiveness of our industry-proven cybersecurity risk and control frameworks, we ensure our ability to safely deliver services to our clients through digital channels. OUTSOURCING AND THIRD-PARTY RISK Outsourcing and third-party risk is the risk of loss or harm due to a third-party service provider failing to deliver functionality and performance required to effectively support underlying business objectives, caused by inadequate selection, retention, oversight and/or monitoring of the relationship, or by inadequate contractual terms and conditions. To manage this risk, we rely on our Third-party Risk Management framework, which reflects a risk-based approach to centrally identify, assess, manage and monitor third-party risk and leverages the three lines of defence model. We continued to mature our third-party risk management processes and tools this year, particularly in relation to the assessment of the internal control environment of potential service providers prior to entering into an engagement, with a focus on technology providers. Third-party Risk Management will continue to be a focus to continue to enhance our operational resilience and to ensure continued delivery of critical operations during times of disruption. DATA RISK Data risk is the risk, whether direct or indirect, that arises from reliance on data to support our ability to make informed decisions and develop accurate reporting and analytics for senior management, our Board of Directors, regulators, or customer facing and/or marketing purposes. Potential risks can relate to data management, data taxonomy, metadata, governance, access, or data that is incomplete, inaccurate, untimely and/or inaccessible. Data is considered a key strategic asset and the volume, value, and type of data we rely on has increased in recent years. As data is produced and consumed by different business lines and geographies across CWB, an effective, collaborative, and holistic approach to data risk management has been implemented to minimize reputation, regulatory and financial risk. Our Data Governance framework and supporting protocols reflect a risk-based approach to support oversight and management of critical data elements to enable greater coordination and consistency of our data. We continue to enhance and mature our data remediation processes and data quality monitoring tools. Our ongoing programs related to data protection and access management also ensure that data is only accessible when directly relevant to the team member’s role.

56 | CWB Financial Group 2022 Annual Report

Powered by