4. Risk Management The climate change risks arising from increasing frequency and severity of extreme weather events (“physical risks”) and the risks arising from the transition to a low-carbon economy (“transition risks”) are incorporated into our overall enterprise risk profile. 4.1 Oversight and strategic risk management The Board, the Audit Committee and our internal Enterprise Risk Committee composed of Salesforce executives are responsible for oversight of our enterprise risk assessment and overall risk management practices at Salesforce. The Enterprise Risk Committee meets periodically to review changes in/to the enterprise risk profile and the actions functional leaders have taken to monitor, control and mitigate significant exposures. 4.2 Enterprise risk management (“ERM”) process Our ERM process includes consultations with a wide array of cross-functional internal and external stakeholders and follows a clearly-defined process to identify and assess risks. Identified risks are assessed for their business impact, which considers consequences that may h ave financial and strategic impacts on our business, including impacts to customers, reputation, legal/compliance, employees and execution of our strategy. Emerging risks, including climate-related risks, are also assessed during this process. Each identified risk is assigned an overall risk rating which carefully considers: the magnitude of financial and strategic implications related to all relevant risks, the likelihood of a risk occurring, the speed at which the risk could impact our business and any mitigating factors that are in place. These risks are discussed periodically with the Enterprise Risk Committee and the Audit Committee on at least an annual basis (or more frequently as necessary). Ongoing processes exist to manage top risks and ownership is distributed throughout the organization as shown below. 11 | Salesforce TCFD Report