Being Proactive to Manage Risk

Maintaining a culture committed to ethical behavior and compliance is a foundation of risk management. Our Board of Directors has primary responsibility for risk oversight, including disclosing and treating risks as needed. This responsibility allows the Board to analyze the company’s material risks and influence business strategies in light of these risks. 

We integrate risk management throughout our business, utilizing the three lines of defense model as a framework. 


The first line of defense begins at the department and business unit level to identify risk at the frontlines of the organization. 

The second line of defense — our Risk and Compliance Department led by Patrick Craine, Chief Risk & Compliance Officer — provides impartial enterprise risk and compliance analyses and reports directly to the Board’s Audit Committee. This team also manages our enterprise risk management (ERM) process. Through ERM, internal risk committees comprised of senior management and subject matter experts across the company review and assess the company’s risks. High-priority risks are evaluated at the executive level and quarterly ERM updates are provided to the Board Audit Committee.

The third line of defense is our Internal Audit Department, an independent and objective assurance group that also reports directly to the Board’s Audit Committee. The department conducts independent risk-based audits of department and business unit controls and processes. This includes evaluating the company’s compliance practices, measuring risk exposure and verifying data and other information used to make key corporate decisions. For greater assurance, material audit findings and overdue management action plans are reported to the Board independent of other elements of our risk management program. 

Risk Treatments

Should a risk require treatment, management oversees the development and execution of specific mitigation plans to reduce the risk to an acceptable level. Mitigation options include, but are not limited to, adopting or enhancing corporate policies and procedures, contingency plans, insurance policies or hedging strategies. 

Our business continuity and disaster recovery process is an example of enterprise-level contingency planning. Through this process, a cross-functional task force assesses business impacts of certain risks and develops enterprise response and recovery plans to reduce potential associated impacts. 

Even after treatment, we commit to continuing to monitor for risk. We view risk management as a cycle incorporating five key aspects: