Risk management IBM’s consistent, systemic, and integrated approach to enterprise risk management (ERM) is designed to identify, mitigate, and manage significant risks. Our ERM function assesses risks across the organization to develop a holistic, enterprise-level view of risks arising from evolving regulatory or financial environments, operations, or strategic planning and execution—including environmental and climate-related risks. The program also assesses interdependencies between risks, and collaborates with risk owners to optimize actions across IBM. We also promote a company culture of risk awareness through online education and mandatory training in areas such as business integrity and cybersecurity—including a new Risk Academy, where IBMers can take courses and earn badges on risk management awareness and skills. Additionally, IBMers can report potential risks through numerous online channels (anonymously if preferred), or to local management. Oversight of risk management begins with IBM’s Board of Directors, which is responsible for assessing our ERM approach and overseeing management’s execution of its risk responsibilities. The board and its three committees receive periodic updates on the ERM program, and each committee examines specific risk components: – Audit Committee— Financial and audit risks identified through IBM’s enterprise management framework, including those related to cyber, privacy, and AI ethics. – Executive Compensation and Management Resources Committee— Risks related to compensation programs and employee engagement as an indicator of company culture, and reviews IBM’s human capital management, diversity and inclusion, and other management resources programs. – Directors and Corporate Governance Committee— Risks associated with government and industry regulations, as well as corporate social responsibility, sustainability, environmental, and other societal and governance matters. IBM’s senior management is responsible for assessing and managing IBM’s various exposures to risk on a day-to-day basis, while the ERM program is overseen by our chief risk officer (reporting to the CFO), a risk council of business unit and process leaders, and senior management’s relevant governance forums. IBM has developed tools that employ analytics and AI technologies to assist our ERM processes. Our Country Financial Risk Scorecard identifies emerging risk areas and alerts country and regional leadership so they can respond proactively. 14 IBM 2021 ESG Report