BNY MELLON ENTERPRISE ESG 43 RESPONSIBLE BUSINESS Our risk appetite defines the limits on the level and nature of the risk we are willing to assume to meet our strategic objectives. Policy Governance. We transformed policy governance by implementing a new policy hierarchy. This included significantly reducing the number of policies, clarifying policy content and responsibilities, and launching a new policy platform for employees while retaining comprehensive coverage of requisite subject matter. Product Governance. We implemented a single, transparent approval pathway for new or modified products and services, accelerating time to market and supporting business growth. Enterprise ESG 2025 Risk Framework Goal Goal : Continue to evolve and fortify our risk infrastructure's integration into BAU practices across the organization* KPI: Promote consistent and aligned utilization of the risk lifecycle (identification, measurement, mitigation, monitoring) across the company as a key factor in risk/reward decisions for product, client and geography prioritization Progress: Global risk frameworks have been enhanced to require specific consideration of climate as a driver of risk, including assessment and management of potential impacts. • Enhanced risk appetite statement with climate change highlighted within broader ESG risk consideration • Identified core vulnerabilities and corporate climate risk profile • Tailored relevant risk policies and governance structures to support risk identification and management • Established specific climate risk requirements for primary risk categories and key risk assessment processes, and initiated stress testing and scenario analysis workstreams • Defined KRIs to measure climate risk impacts and to support monitoring relative to risk appetite • Completed foundational training and initial awareness building to key global teams and select boards Enterprise ESG 2025 Risk Culture Goal Goal: Sustain strong global risk and compliance culture focused on risk awareness, ownership and ethical behavior* KPI: Drive active employee engagement and ownership of risk and compliance requirements through ongoing strategic communication and development Progress: • Provided close to 200 risk and compliance learning courses to approximately 49,600 employees** • Promoted employee understanding and management of risk by regularly publishing leader blogs and news articles on important risk concepts, policies and practices, and sending a regular risk and compliance-focused newsletter to all employees * L anguage in the goal was refined to provide clarity * N umber is cumulative total of unique employees who received training throughout 2021. TYPES OF RISK Our primary risk categories include: Operational Risk (including Compliance & Financial Crimes and Technology & Resiliency Risk), Market Risk, Credit Risk, Liquidity Risk, Strategic Risk and Model Risk. BNY Mellon operates under one enterprise-wide framework for managing risk. Through our Enterprise Risk Management Framework and Policy, we have established common risk management practices that can be understood and consistently applied across the company. ESG issues and, in particular, climate change risk are considered drivers of risk. BNY Mellon recognizes the importance of maintaining a deep understanding of all risk drivers and vulnerabilities that may exist. Risk drivers may include the macroeconomic environment, changes to competitor and/or customer behavior, regulatory or legislative change, climate risks, and a range of other potential sources of risk that may have significant impacts on the global economy and the finance sector over the short, medium and long term. These drivers constitute a risk to BNY Mellon’s balance sheet, business model and future profitability. In summary, a risk driver is an overarching driver of risk that may impact any, and all, risk categories to which BNY Mellon is exposed through the ongoing execution of our business strategy.