appetite and risk management strategies. Through the oversight of the Company’s results compared to the Board-approved Strategic Plan and budget, the Board assesses whether management is implementing the Company’s strategy constituent with its core principles of soundness, profitability and growth and its other strategic priorities. While the Board oversees our risk management, management is responsible for the day-to-day risk management processes. We believe this division of responsibility is the most effective approach for addressing the risks facing our Company and that the Board’s leadership structure supports this approach.
Risk Governance Structure
Risk is inherent in all of our business activities. As a result, we have developed a comprehensive approach to risk management by adopting a Risk Appetite Statement and a Risk Framework supporting the Risk Appetite Statement.
The Risk Appetite Statement defines the aggregate levels and types of risk our Board and management believe appropriate to achieve our Company’s strategic objectives and business plan.
The Risk Framework sets forth clear roles, responsibilities, and accountability for the management of risk and describes how our Board oversees the monitoring of our risk appetite through the assessment of key risk indicators and performance factors. It outlines the seven types of risk that our Company faces: compliance risk, credit risk, operational risk (specifically including cybersecurity risk and model risk), interest rate risk, liquidity risk, market risk, reputation risk, strategic risk and risks associated with the Bank’s correspondent, mortgage, factoring (Corporate Billing) and wealth lines of business. The Risk Framework describes components of our risk management approach, including the adoption of the three lines risk model and the implementation of a culture of managing risk through our risk management processes, with a focus on the role of all employees in managing risk. It also outlines our risk management governance structure, including the roles of our Board, management, lines of business, independent risk management, and internal audit within the governance structure.
On a quarterly basis, we evaluate the existing risks facing the Company against the Risk Appetite Statement to ensure that actual operations of the Company align within the Company’s risk appetite. The Risk Appetite Statement and Risk Framework are reviewed and approved by the Board annually. Independent Board oversight of the Risk Appetite Statement and Risk Framework and independent assessment by the Board of our risk profile against our Risk Appetite and Framework on a quarterly basis enable us to better serve our customers, deliver long-term value for our shareholders, and achieve our strategic objectives.
Our Chief Risk Officer, the Company’s senior-most risk manager, has a dual reporting structure, reporting both to the President of the Company and to the Board Risk Committee. This governance structure is designed to complement our Board’s commitment to maintaining an objective, independent Board and committee leadership structure.
Board Oversight of Cybersecurity Risk
Our Board recognizes the importance of protecting the data provided by the Company’s customers, clients, and employees and devotes significant time and attention to overseeing the strategies the Company employs to protect our data and systems and to mitigate against cybersecurity risk. The Board includes a cybersecurity expert who chairs the Risk Committee and provides technology-related insight and guidance to the Company.
As party of the Risk Committee’s responsibility for monitoring key business and regulatory risks, the Risk Committee reviews presentations and reports at each meeting on the Company’s cybersecurity program and its efforts to mitigate cyber risks. These presentations and reports address topics such as the threat environment and vulnerability assessments, results of penetration testing, results of key cyber risk indicators and performance metrics, and the Company’s ongoing efforts to identify, prevent, detect, and respond to internal and external critical threats. The Risk Committee also reviews reports on the Company’s efforts to provide ongoing employee training on responsible information security, data security, and cybersecurity practices and how to protect data against cyber threats through employee-targeted campaigns and materials. The Audit Committee reviews reports of the Company’s internal Audit Department’s periodic audits of our information security, data security, and cybersecurity program. On an annual basis, the Board approves the Company’s Information Security Policy and Program which provides a layered approach to cybersecurity, and includes administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of customer information in accordance with applicable law.
Board Oversight of ESG Risk
The Board recognizes the importance of responding to existing and emerging risks relating to governance, social and environmental changes. The Governance and Nominating Committee has been given responsibility for overseeing current and emerging environmental, corporate social responsibility, and governance matters that are relevant to the business, operations, or public image of the Company or that are otherwise pertinent to the Company and its shareholders, employees, customers, and parties with whom it does business. Recognizing the particular importance of attracting and retaining a diverse and talented workforce, the Company has established a Board-level Culture Committee, which focuses on the Company’s human capital management initiatives, including its diversity and inclusion initiatives and talent attraction, motivation and retention. The Company’s Director of Corporate Stewardship, who reports directly to our CEO, leads our diversity and community development efforts and provides regular reports to the Culture Committee.