��ţ��������

The following is an excerpt from our , describing our risk governance framework and risk appetite principles.

�ճ����Board of Directors (the BoD) approves the risk management and control framework of the Group, including the Group and business division overall risk appetite. �ճ����BoD is supported by its Risk Committee, which monitors and oversees the Group’s risk profile and the implementation of the risk framework approved by the BoD, and approves the Group’s risk appetite methodology. The Corporate Culture and Responsibility Committee (the CCRC) helps the BoD meet its duty to safeguard and advance ��ţ��������’s reputation for responsible and sustainable conduct, reviewing stakeholder concerns and expectations pertaining to ��ţ��������’s societal contribution and corporate culture. The Audit Committee assists the BoD with its oversight duty relating to financial reporting and internal controls over financial reporting, and the effectiveness of whistleblowing procedures and the external and internal audit functions.

�ճ����Group Executive Board (the GEB) has overall responsibility for establishing and implementing a risk management and control framework in the Group, managing the risk profile of the Group as a whole.

�ճ����Group Chief Executive Officer has responsibility and accountability for the management and performance of the Group, has risk authority over transactions, positions and exposures, and allocates business divisions and Group Functions risk limits approved by the BoD.

�ճ����business division Presidents and Group functional heads are responsible for the operation and management of their business divisions / Group Functions, including controlling the dedicated financial resources and risk appetite of the business divisions.

�ճ����regional Presidents ensure cross-divisional collaboration in their regions and are mandated to inform the GEB about any regional activities and issues that may give rise to actual or potentially material regulatory or reputational concerns.

�ճ����Group Chief Risk Officer (the Group CRO) is responsible for developing the Group’s risk management and control framework (including risk principles and risk appetite) for credit, market, country, treasury, model and sustainability and climate risks. This includes risk measurement and aggregation, portfolio controls and risk reporting. The Group CRO sets risk limits and approves credit and market risk transactions and exposures. Risk Control is also the central function for model risk management and control for all models used in ��ţ��������. A framework of policies and authorities support the risk control process.

�ճ����Group Chief Compliance and Governance Officer is responsible for developing the Group’s non-financial risk framework, which sets the general requirements for identification, management, assessment and mitigation of non-financial risk, and for ensuring that all non-financial risks are identified, owned and managed according to the non-financial risk appetite objectives, supported by an effective control framework.

�ճ����Group Chief Financial Officer is responsible for transparency in assessing the financial performance of the Group and the business divisions, and for managing the Group’s financial accounting, controlling, forecasting, planning and reporting. Additional responsibilities include managing ��ţ��������’s tax affairs, as well as treasury and capital management, including liquidity and funding risk and ��ţ��������’s regulatory ratios, Finance Artificial Intelligence & Data Analytics strategy and Group M&A.

�ճ����Group General Counsel manages the Group’s legal affairs (including litigation involving ��ţ��������), ensuring effective and timely assessment of legal matters impacting the Group or its businesses, and managing and reporting all litigation matters.

�ճ����Head Human Resources is responsible for independent oversight and challenge of employment-related risks.

Group Internal Audit (GIA) independently assesses the effectiveness of processes to define strategy and risk appetite and overall adherence to the approved strategy. It also assesses the effectiveness of governance processes and risk management, including compliance with legal and regulatory requirements and internal governance documents. The Head GIA reports to the Chairman of the BoD. GIA also has a functional reporting line to the BoD Audit Committee.

Some of these roles and responsibilities are replicated for significant legal entities of the Group. Designated legal entity risk officers oversee and control financial and non-financial risks for significant legal entities of ��ţ�������� as part of the legal entity control framework, which complements the Group’s risk management and control framework

We have a defined Group-level risk appetite, covering all financial and non-financial risk types, via a complementary set of qualitative and quantitative risk appetite statements. This is reviewed and recalibrated annually and presented to the BoD for approval.

Our risk appetite is defined at the aggregate Group level and reflects the types of risk that we are willing to accept or wish to avoid. It is set via complementary qualitative and quantitative risk appetite statements defined at a firm-wide level and is embedded throughout our business divisions and legal entities by Group, business division and legal entity policies, limits and authorities. Our risk appetite is reviewed and recalibrated annually, with the aim of ensuring that risk-taking at every level of the organization is in line with our strategic priorities, our capital and liquidity plans, our Pillars, Principles and Behaviors, and minimum regulatory requirements. The “Risk appetite framework” chart below shows the key elements of the framework, which is described in detail in this section.

Qualitative risk appetite statements aim to ensure we maintain the desired risk culture. Quantitative risk appetite objectives are designed to enhance ��ţ��������’s resilience against the effects of potential severe adverse economic or geopolitical events. These risk appetite objectives cover ��ţ��������’s minimum capital and leverage ratios, solvency, earnings, liquidity and funding, and are subject to periodic review, including the yearly business planning process. These objectives are complemented by non-financial risk appetite objectives, which are set for each of our non-financial risk categories. A standardized quantitative firm-wide non-financial risk appetite has been established at the Group and business division levels. Non-financial risk events exceeding predetermined risk tolerances, expressed as percentages of ��ţ��������’s total revenue, must be escalated as per the firm-wide escalation framework to the respective business division President or higher, as appropriate.

The quantitative risk appetite objectives are supported by a comprehensive suite of risk limits set at a portfolio level to monitor specific portfolios and to control potential risk concentrations.

The status of risk appetite objectives is evaluated each month and reported to the BoD and the GEB. As our risk appetite may change over time, portfolio limits and associated approval authorities are subject to periodic reviews and changes, particularly in the context of our annual business planning process.

Our risk appetite framework is governed by a single overarching policy and conforms to the Financial Stability Board’s Principles for an Effective Risk Appetite Framework