2021 Owens Corning Sustainability Report | Our Approach | Risk Management | 60 Risk Mitigation Framework Risk Management Training Our enterprise risk management function (and philosophy) is dispersed throughout the organization at all levels, and we ensure that risk registers are updated through risk liaisons. Each sub-register has a risk liaison, who is responsible for facilitating updates to their respective sub-register. Risk liaisons receive thorough training from the corporate risk leader, and they then go on to train subject matter experts and risk owners in their respective businesses or corporate areas. As part of this process, individuals are trained in our approach to Enterprise Risk Management. Additionally, the legal department initiates annual training on our Business Code of Conduct and antitrust policies globally to broadly address key compliance risks. Each business is required to complete strategic planning, covering risk management and strategic risk. Owens Corning conducts regular and ongoing risk management training for personnel in the risk committee and risk functions, including sourcing and finance globally. Risk Management and Human Resources Effective risk management is considered in our human resources (HR) processes for employees who are responsible for identifying and continually progressing mitigation strategies for risks in their daily job responsibilities. This is evidenced by our risk management process, which includes development of risk registers at the enterprise level, business unit level, and corporate function level. In support of our efforts to reduce risk in HR, Owens Corning has implemented an executive committee review, which details talent health, leadership succession, hiring and developing capabilities, retention, and inclusion and diversity progress. Engaging Employees in Risk Management Many employees are involved in risk identification, as we encourage them to identify new risks to the organization through questionnaires, interviews, and the regular update of the business and enterprise risk registers. During these reviews, employees are given a forum to provide feedback. Potential risks regarding such items as sourcing, safety, environmental, and HR are raised at the plant level, and their learnings are shared across the company and are evaluated at the leadership team level in each facility; when appropriate, they are compiled into the business unit-level risk register. Once within the risk register, processes are established and appropriate employees are trained. There is also focused web-based loss-control training available for plant personnel. In keeping with our culture of safety, employees are encouraged to be proactive in their management of risk. An example of this can be found in our integration of Total Productive Maintenance (TPM) into our operations. TPM emphasizes proactive and preventive activities to maintain, operate, and improve production. All employees are involved in maintaining their own process during production, which creates a shared responsibility for equipment and increases involvement from everyone. In addition, hazard recognition and near-miss reporting are significant tools within our safety culture and throughout the plant network. Employees are encouraged to report their concerns to any manager, member of human resources or legal operations, or any member of our business conduct council (BCC). Employees may also submit their concerns (anonymously) to our BCC through a confidential helpline (1-800-461-9330) or web portal, operated by a third-party service provider. Employees can also report their concerns to the council using a designated email ([email protected]) address or a dedicated postal mailbox. Key executives are also engaged to review areas of risk, as they are interviewed each year by our internal audit team as they develop an audit plan. In 2020, we began to integrate this with our ERM. Each quarter, the three businesses, finance, and compliance refresh their risk registers and identifies any new or materially changed risks and how they relate to the strategic plan. This emphasis on risk also extends to new acquisitions. As part of our due diligence in the acquisition process, we evaluate the risk for items such as environment, safety, financial, IT, product stewardship, HR, and sourcing. For example, the process for safety includes leading indicator analysis and injury review calls, where each facility that has a “high-risk” first aid or injury incident shares best practices. IDENTIFYING RISKS PRIORITIZING RISKS ALIGNING AND REVIEWING MITIGATION PLAN