2021 ESG Report GOVERNANCE 8 RISK TYPES P O L I C I E S B O A R D O V E R S I G H T IDENTIFY RISK ASSESS RISK MANAGE RISK MONITOR RISK REPORT RISK C O M M I T T E E S L I M I T S Risk Management Process Our risk management process ensures a consistent and comprehensive approach to how we identify, measure and assess, manage, monitor, and report risks. We also have established processes and programs to manage and report concentration risks; to ensure robust talent, compensation, and performance management; and to aggregate risks across the enterprise. Fifth Third’s eight risk types: • Credit Risk • Liquidity Risk • Interest Rate Risk • Price Risk • Operational Risk • Reputation Risk • Strategic Risk • Legal and Regulatory Compliance Risk Risk Governance Fifth Third’s risk governance structure ensures proper oversight of risk across the organization. It provides a path for escalation of risks and issues to management and Board-level committees to drive efective risk decisioning . The Board is responsible for actively overseeing risk-taking activities and holding management accountable for adhering to the risk management framework. The Board delegates certain responsibilities to Board Committees, including the Risk and Compliance Committee (RCC) and the Audit Committee . The RCC is the primary committee that oversees risk and assists the Board in its oversight of the Bancorp’s Enterprise Risk Management Framework and approves the framework (inclusive of risk appetite) and primary risk management policies . The Audit Committee of the Board is the primary committee that has responsibility, fduciary duty and authority to oversee the management, fnancial statements and audit functions . Contents The Enterprise Risk Management Committee (ERMC) is chaired by the Chief Risk Ofcer. It is comprised of voting members from executive management and reports to the RCC. The committee is responsible for reviewing and approving frameworks and policies to ensure efective risk management, overseeing the management of all risk types to ensure that risks remain within Fifth Third’s risk appetite and fostering a risk culture that supports our risk management objectives. The ERMC oversees key management committees responsible for specifc risk types and key risk related policies and processes, in order to support an aggregate view of risk and provide executive level risk management oversight of all risk types. Fifth Third’s risk governance structure ensures proper oversight of risk across the organization. It provides a path for escalation of risks and issues to management and Board-level committees to drive efective risk decisioning. Introduction Economic Environment Social Governance Three Lines of Defense Accountability for managing risk is driven through a Three Lines of Defense structure: FIRST LINE OF DEFENSE is comprised of front line units that create risk or are accountable for risk. SECOND LINE OF DEFENSE , or independent risk management, consists of risk management, compliance, and credit risk review. THIRD LINE OF DEFENSE is internal audit, which provides oversight of the frst and second lines of defense. Fifth Third’s Risk and Compliance Committee Structure BOARD RISK AND COMPLIANCE COMMITTEE ENTERPRISE RISK MANAGEMENT COMMITTEE TRUST & FIDUCIARY MANAGEMENT COMMITTEE RETAIL NONDEPOSIT INVESTMENT PRODUCT OVERSIGHT COMMITTEE ASSET/LIABILITY COMMITTEE CAPITAL COMMITTEE MANAGEMENT COMPLIANCE COMMITTEE OPERATIONAL RISK COMMITTEE CLIMATE RISK COUNCIL CORPORATE RESPONSIBILITY & REPUTATION COMMITTEE LOAN LOSS RESERVE COMMITTEE CORPORATE CREDIT COMMITTEE 89