Being Proactive to Manage Risk

Maintaining a culture committed to ethical behavior and compliance is a foundation of risk management. Our Board of Directors has primary responsibility for risk oversight, including disclosing and treating risks as needed. This responsibility allows the Board to analyze the company’s material risks and influence business strategies in light of these risks. 

We integrate risk management throughout our business, utilizing the three lines of defense model as a framework. 


The first line of defense begins at the department and business unit level to identify risk at the frontlines of the organization. The second line of defense — our Risk and Compliance team led by Chief Risk & Compliance Officer Patrick Craine — provides impartial enterprise risk and compliance analyses. Managed within this team is our enterprise risk management (ERM) process. Through ERM, internal risk committees comprised of senior management and subject matter experts across the company review and assess the company’s risks. High-priority risks are evaluated at the executive level and quarterly ERM updates are provided to the Board Audit Committee.

The third line of defense is our Internal Audit Department, an independent and objective assurance group that reports directly to the Board’s Audit Committee. The department conducts independent risk-based audits of department and business unit controls and processes. This includes evaluating the company’s compliance practices, measuring risk exposure and verifying data and other information used to make key corporate decisions. Material audit findings are reported to the Board independent of any other elements of our risk management program for greater assurance. 

Risk Treatments

Should a risk require treatment, management oversees the development and execution of specific mitigation plans to reduce the risk to an acceptable level. Mitigation options include, but are not limited to, adopting or enhancing corporate policies and procedures, contingency plans, insurance policies, or hedging strategies. Our business continuity and disaster recovery process is an example of enterprise level contingency planning. Through this process, a cross-functional task force assesses business impacts of certain risks and develops enterprise response and recovery plans to reduce those impacts.

Even after treatment, we commit to monitoring for risk as added assurance for our risk management program. We view risk management as a cycle incorporating five key aspects: