2021 Owens Corning Sustainability Report | Appendices | 359 TCFD CLIMATE RISK & OPPORTUNITIES Appendix G Between annual reviews, the registers are reviewed by the business stakeholders, and the risk committee meets quarterly to discuss any applicable updates. The risk registers are also reviewed by both the audit committee and the executive committee, regardless of any planned updates, to ensure that no risks are missed by the risk committee. Should any material updates be made, these are then reviewed with the executive committee and audit committee of the board as well. In addition to the business-level reviews, Owens Corning’s sustainability and reporting analytics team monitors the company’s climate-related data. This team works to understand global regulations and emerging expectations related to ESG, including their potential impact on our businesses. By staying abreast of ESG reporting trends, including the entire ecosystem of ESG ratings and rankings as well as reporting frameworks, sustainability reporting standards, sustainability reporting standards, and disclosure legislation, the team can provide recommendations based on their in-depth knowledge. The team also completes competitive intelligence monitoring and benchmarking, and they analyze trends and market expectations related to sustainability. Environmental metrics and data are monitored using Schneider Electric’s Resource Advisor system. Data is input into the system where it can be reviewed and analyzed. Risk Registers Owens Corning’s business units proactively analyze risks and create business-specific and function-specific risk registers. We currently have an enterprise risk register, as well as sub-registers for each of our three businesses, as well as compliance and finance. The risk committee then uses these individual risk registers to create a corporate-level risk register, which enables business units and the risk committee to facilitate strategic and operational planning processes while mitigating sustainability risks. Risks are prioritized based on their placement in the risk register. The Y-axis (“Value”) represents the potential financial impact, while the X-axis (“Likelihood”) represents the probability of occurrence. Color coding (for emphasis) and different shapes (for trending information) offer a fuller understanding of the potential risks. Risks in green indicate that the level of exposure is acceptable, yellow indicates mitigation plans are actively in place, and red indicates that improved risk mitigation is needed. In 2021, we added the concept of risk velocity to our conceptualization of risk, describing the potential rate at which a risk could impact our businesses. While risk velocity is not depicted on the risk register in an infographic manner, the concept is described in conjunction with the overall register narrative. By incorporating the idea of risk velocity into our understanding of risk, we gain a better understanding impending impacts, which enables us to be proactive in our approach. To identify new risks — and update risks no longer considered important — the risk committee regularly reviews results and outputs of risk assessments. Meeting four times per year, the risk committee is well-equipped to implement a robust mitigation plan across businesses as well as corporate functions. Our enterprise risk management (ERM) process is updated and reviewed annually by the board’s executive and audit committees to ensure it remains relevant and proactive. Owens Corning’s risk committee meets with functional and business leaders throughout the organization to discuss identified risks and manage corresponding action plans. Risks are considered by the committee for all ranges of time horizon, and in all aspects of the value chain. At the asset level, our business units (BUs) create business- specific risk registers, which are used in their strategic and operational planning processes. In creating these registers, the BUs identify internal and external factors that could pose threats and opportunities to their business. They evaluate the potential impact and likelihood, and then establish management plans to mitigate each risk. Risks are then either retained (risk exposure is accepted without further mitigation), reduced/transferred (risk exposure is reduced, transferred, or consequences are reduced) or avoided (risk exposure eliminated entirely; for example, by ceasing a business). The risk committee considers significant risk to the corporation using the following process: 1. Review the Owens Corning Risk Register substantiated by business and functional reviews. The risks are prioritized based on their placement on the register. The Y-axis is a measure of financial impact and the X-axis is a measure of probability of occurrence. For example, a risk located toward the upper left of the risk map would be indicative of risk that is high in financial impact but low in probability. 2. Align around key mitigation programs. Based on the risk assessment register outputs, the risk committee identifies the various mitigation actions to be taken and a planned approach is taken towards implementing them through the businesses. 3. Review risk register with the executive committee. All risk assessment results and outputs are reviewed by the executive committee, and feedback received is incorporated in the action register and reflected in the mitigation planning.