CWBFG Annual Report 2023

Key Operational Risks PEOPLE RISK

People risk means the potential for loss or harm arising from ineffective practices related to people, culture and employment. Failure to effectively manage people risk can result in operational disruptions and uncertainty, failure to meet strategic objectives, injury or harm to individuals, or damage to CWB’s brand. We intend to continually attract and retain qualified team members to successfully execute against our strategic priorities. We do this by proactively investing in our practices and programs to build a positive, rewarding and collaborative work environment, where teams are empowered to deliver exceptional client experiences. Human Resource guidelines and processes are in place to establish accountability in relation to people risk, to ensure team members are adequately trained to perform the tasks for which they are responsible, and to enable talent attraction, development, and retention. A people first approach is specifically referenced in our values as we focus on driving inclusion and diversity and execute on specific strategies to increase our brand awareness in the markets where we operate. We complement this with a specialized and knowledgeable approach to talent acquisition, a robust focus on employee engagement, effective communication and employee listening strategies, proactive organizational change management, a competitive total rewards offering with differentiated benefits, flexible work arrangements, comprehensive learning and development opportunities and a proactive focus on succession planning. TECHNOLOGY AND CYBERSECURITY RISK Technology Risk Technology risk is the risk of loss or harm related to the operational performance, confidentiality, integrity and availability of our information, systems and infrastructure. We are dependent upon technology and supporting infrastructure, such as voice, data, systems and network access. In addition to internal resources, various third parties provide key infrastructure, and application services to support our operations. Disruptions in information technology and infrastructure, whether attributed to internal or external factors, and including potential disruptions in the services provided by various third parties, could adversely affect our ability to conduct regular business and/or deliver products and services to clients. We have several projects underway focused on increasing our digital capabilities which may potentially increase risk exposure related to information systems and technology. Ongoing diligence is required to ensure systems are resilient and secure from threats. Our Technology and Cybersecurity Risk Management standard provides a consistent enterprise-wide approach to efficiently and effectively manage technology and cyber risk while supporting the ability to deliver on our strategic objectives. We continuously identify and assess key services (i.e. upgrades, enhancements, new products) to ensure potential failure points are highlighted and the related risk is mitigated in the best possible way (i.e. upgrades, enhancements, new products). We rely on technology that incorporates controls and programs such as asset management, configuration management, change management, capacity management, disaster recovery management, patch management and information security management programs. With our adoption of a hybrid work environment, our dependence on remote access to information technology and supporting infrastructure remains elevated. We regularly monitor, assess and revise our business continuity approach and response to ensure our ability to maintain critical operations through periods of business disruption. Our Information Services team has worked diligently to ensure our teams have uninterrupted remote access to required technology and infrastructure through our secure platforms. Our Information Services team also continues to partner with GRM to apply further rigour and enhanced governance of the identification and evaluation of potential risks in the technology environment. Cybersecurity Risk Cybersecurity risk is the risk of loss or harm due to compromise of our information assets (i.e. the unauthorized use, loss, damage, disclosure, or modification of company information and information systems) caused by a failure to protect our information assets. We manage information security risk by ensuring appropriate technologies, processes and tools are effectively designed and implemented to help prevent, detect, and respond to threats as they emerge and evolve. Our Information Security Office continues to enhance our comprehensive suite of controls to protect CWB’s operations, our customer and corporate data from attack and have partnered with leading third-party service providers to provide counsel and support should the need arise. We regularly test the completeness and effectiveness of our information and cybersecurity program through penetration testing and control evaluation exercises conducted by independent third parties and our Governance, Risk and Controls (GRC) function. We continuously monitor our environment for indications of control weakness, and conduct mandatory security awareness training sessions for all team members. As we continue to enhance our digital capabilities, a focus to advance our cybersecurity enables our growth trajectory. By implementing and benchmarking the effectiveness of our cybersecurity risk and control frameworks, we ensure our ability to safely deliver services to our clients through digital channels. We continually enhance our Technology and Cyber Risk management processes to align with the changing regulatory environment such as OSFI’s B-13 Technology and Cyber Risk Management and OSFI’s draft Integrity and Security Guidelines both of which will become effective in January 2024. OUTSOURCING AND THIRD-PARTY RISK Outsourcing and third-party risk is the risk of loss or harm due to a third-party service provider failing to deliver functionality and performance required to effectively support underlying business objectives, caused by inadequate selection, retention, oversight and/or monitoring of the relationship, or by inadequate contractual terms and conditions. To manage this risk, we rely on our Third-party Risk Management framework, which reflects a risk-based approach to centrally identify, assess, manage and monitor third-party risk and leverages the three lines of defence model. We continued to mature our third-party risk management processes and tools this year, including the assessment of the internal control environment of potential service providers, and our monitoring programs. Third-party Risk Management will continue to be a focus to enhance our operational resilience, ensure continued delivery of critical operations during times of disruption and align with the enhanced requirements of the updated OSFI B-10 Guideline on Third Party Risk Management. FRAUD RISK Fraud risk is the risk of loss or harm due to any intentional act, misstatement or omission designed to deceive others, resulting in the victim suffering a loss and/or the perpetrator achieving a gain, and may include collusion involving two or more individuals. Our Fraud Risk Management framework outlines our enterprise-wide approach to proactively manage fraud risk within CWB’s fraud risk appetite. CWB employs prevention, detection and response capabilities across the enterprise that are designed to help protect customers, shareholders and employees from fraud risk.

CWB Financial Group 2023 Annual Report | 53

Powered by