RISK MANAGEMENT From cybersecurity threats to changes in the geopolitical landscape, risks to our business and operations are evolving and complex. We follow the “three lines of defense” approach to risk management: • The first line owns and manages risks and functions directly to initiate risk decision activities. • The second line functions independently to monitor and oversee first line risk management activities. • The third line, which consists of the Internal Audit Group, provides independent assurance that the first and second lines of defense operate effectively. Enterprise Risk Management (ERM) at American Express identifies, aggregates, monitors, and reports all risks and establishes the Company’s risk appetite and risk governance processes, culture, and capabilities. Our Chief Risk Officer oversees risks and risk management activities across the Company and chairs the Enterprise Risk Management Committee (ERMC), which oversees the Company’s governance approach to all risks. As part of its remit, the ERMC monitors compliance with risk appetite limits, escalations, and resolution activities to provide awareness of changes in the risk profile and drives continuous improvement of risk management processes and controls. The ERMC also reviews key risk exposures, trends, and concentrations and significant compliance issues and provides guidance on the steps to monitor, control, and report major risks. Our Board monitors our “tone at the top” and risk culture and oversees emerging strategic risks around the world. For more information on Board and management risk oversight, see our 2022 Proxy Statement. Maintaining business continuity and operational resilience Our Crisis Preparedness Program focuses on colleague safety and includes protocols for safeguarding and minimizing impacts to our buildings and assets. In addition, our Enterprise Resilience program addresses the maintenance of key business operations and supporting technology in the event of an unplanned disruption. We support this program with expert-developed and tested Business Continuity Plans, along with the tools, training, and guidance. Across our global supply chain, we assess the resiliency of key third-party service providers and require vendors that provide business critical services to maintain Business Continuity Plans. Colleagues who manage these vendors ensure that both Business Continuity Plans as well as potential Exit Plans are in place should they be needed, including a list of alternative suppliers and/or a strategy to bring the products and services in-house if necessary. a n d E x e r c i s e s D e v e l o p m e n t S t r a t e g i e s T e s t s , T r a i n i n g , P l a n R i s k R e d u c t i o n I m p r o v e m e n t A w a r e n e s s R e p o r t I n t e r d e p e n d e n c i e s A n a l y s i s R i s k A s s e s s m e n t C o n t i n u o u s S i t u a t i o n a l M e a s u r e a n d P o l i c y , S t r a t e g y , a n d B u s i n e s s I m p a c t B u s i n e s s C o n t i n u i t y V A L I D A T E I M P L E M E N T D E S I G N M O N I T O R A L I G N A S S E S S AMERICAN EXPRESS Enterprise Resilience INCORPORATING ESG INTO ENTERPRISE RISK MANAGEMENT How will climate change impact our operations and business as we transition to a low-carbon economy? In 2020 and 2021, we conducted a qualitative climate risk scenario analysis aligned with the Task Force on Climate-Related Financial Disclosures (TCFD) framework to assess physical and transition risks and opportunities to our business related to climate change. ESG risks—in particular climate risk— have been included as an emerging risk for the company, and are part of our Enterprise Risk Management (ERM) framework. Climate-related risks are currently managed as part of our ERM process. The Risk Committee of our Board of Directors provides oversight of our ERM framework, processes, and methodologies, and approves our Enterprise Risk Management policy, which governs risk governance, risk oversight, and risk appetite. Learn more in the TCFD Index. INTRODUCTION PROMOTING DE&I ADVANCING CLIMATE SOLUTIONS BUILDING FINANCIAL CONFIDENCE OUR ESG GOVERNANCE & OPERATING RESPONSIBLY SUPPORTING DATA OUR COMMITMENT TO ESG 85 85