Our Business Practices
We adhere to the highest standards of corporate governance and ethical conduct. We believe that accountability, transparency and good decision-making support our business, serve our customers and create value for our shareholders.
Risk Oversight Committee Charter
The Risk Oversight Committee (the "Committee") of Discover Financial Services (the "Parent") and Discover Bank (the "Bank," and together with the Parent, the "Company") is a committee of both boards of directors (collectively, the "Board") appointed to approve and periodically review the Company's risk-management policies, oversee the operation of an enterprise-wide risk-management framework and the Company's capital planning and liquidity risk-management activities and assist the Board in its oversight of the Company's compliance with certain legal and regulatory requirements. The Company's enterprise risks (including emerging risks) can be categorized into the following types: credit risk, market risk, liquidity risk, operational risk, compliance risk, legal risk and strategic risk. The Committee shall perform such other duties and responsibilities enumerated in and consistent with this Charter.
The Committee's role is one of oversight, recognizing that the Company's management is responsible for assessing and managing the Company's risks. The Company's management is responsible for designing, implementing and maintaining an effective and appropriate enterprise-wide risk-management program, which is overseen by the Committee in accordance with its responsibilities and powers set forth in this charter.
- The Committee shall be comprised of at least three (3) Board members nominated by the Nominating, Governance and Public Responsibility Committee and appointed by the Board, including at least one member having experience in identifying, assessing, and managing risk exposures of large, complex financial firms. Committee members shall serve at the pleasure of the Board and for such term as the Board determines. The Board shall designate one Committee member, which Committee member shall satisfy applicable independence standards, including any standards of the Federal Reserve, as the Committee's chair (the "Chair").
- Each member of the Committee shall be an independent director under applicable Securities and Exchange Commission regulations, New York Stock Exchange listing standards and the independence requirements of the Company. The membership of the Committee shall also satisfy any regulatory or legal requirements regarding experience, expertise or other qualifications that are or may become applicable to the Committee. Determinations of qualifications, including independence, shall be made by the Nominating, Governance and Public Responsibility Committee, using its business judgment.
- The Committee shall meet at least quarterly and otherwise as needed, and shall report directly to the Board on a regular basis. In the absence of the Chair at any meeting of the Committee, the members of the Committee may designate one of its members to serve as the Chair of the meeting. Meetings shall include any participants the Committee deems appropriate and shall be of sufficient duration and scheduled at such times as the Committee deems appropriate to discharge properly its responsibilities.
- The Committee shall meet periodically in separate executive sessions with the Company's Chief Risk Officer, the head of the Consumer Credit Risk Oversight and Review ("CCOR") function, and other members of management as it deems appropriate to carry out its responsibilities.
- The Committee shall make periodic reports to the Board summarizing the matters reviewed and actions taken at each Committee meeting and make available to the Board minutes of all meetings. The Committee shall review with the full Board any issues arising with respect to the performance of the corporate risk-management function.
- The Committee may form and delegate to one or more subcommittees all or any portion of the Committee's authority, duties and responsibilities, and may establish such rules as it determines necessary or appropriate to conduct its business. The Committee shall report on any such delegation to the full Board.
- The Committee shall have direct access to, and have complete and open communication with, the Company's management, including the Chief Risk Officer, the Chief Compliance Officer and the head of the CCOR function, and may obtain advice and assistance from internal legal, risk or other advisors. The Committee may retain independent legal, risk or other advisors as it determines appropriate to assist it in fulfilling its responsibilities, without seeking approval of management or the Board.
- The Company shall provide for appropriate funding, as determined by the Committee, for the payment of: (i) ordinary administrative expenses of the Committee that are necessary or appropriate in carrying out its duties and responsibilities; and (ii) compensation to independent legal, risk or other advisors retained by the Committee.
- The Committee shall review and evaluate annually its performance and report the results to the Board. The Committee shall review and assess annually the adequacy of this charter and, if appropriate, recommend changes to the Board for approval.
- The Committee (which may act through the Chair) shall share information and liaise and meet in joint session with the Audit Committee as necessary or desirable to help ensure that the committees have received the information necessary to permit them to fulfill their duties and responsibilities with respect to oversight of risk-management matters. The Committee shall coordinate with other Board-level and management-level committees, as appropriate, concerning risk-management issues within the other committees' respective areas of responsibility.
- The Committee shall document and maintain records of its proceedings, including risk-management decisions.
- Except as set forth herein, the Committee is governed by the same rules regarding meetings (including meetings in person or by telephone or other similar communications equipment), action without meetings, notice, waiver of notice, and quorum and voting requirements as are applicable to the Board.
Authority, Duties and Responsibilities
The sole and exclusive function of the Committee is overseeing the risk-management policies of the Company and the operation of the Company's enterprise-wide risk management framework, such framework to be commensurate with the Company's structure, risk profile, complexity, activities and size, as well as providing oversight of the Company's capital planning and liquidity risk management. In furtherance thereof, the Committee's duties shall include:
Oversight of Enterprise-Wide Risk-Management Framework
- Approve and periodically review global risk-management policies of the Company, including the ongoing alignment of the risk appetite framework approved by the Board with the Company's strategy and capital plans.
- Oversee the operation of policies and procedures establishing risk-management governance, risk-management procedures, risk appetite metrics and key risk indicators, and the risk-control infrastructure for the Company.
- Oversee the operation of processes and systems for implementing and monitoring compliance with such policies and procedures, including:
- Processes and systems for identifying and reporting risks and risk-management deficiencies, including regarding emerging risks, and ensuring effective and timely implementation of actions to address emerging risks and risk-management deficiencies;
- Processes and systems for establishing managerial and employee responsibility for risk management;
- Processes and systems for ensuring the independence of the risk-management function; and
- Processes and systems to integrate risk management and associated controls with management goals and its compensation structure.
- Receive and review regular reports from management on items related to operational risk. Review the quality and effectiveness of the Company's technology security, and periodically review, appraise and discuss with management the quality and effectiveness of the Company's information technology security, data privacy and disaster recovery capabilities.
- Review and make recommendations to the Board, as appropriate, regarding the Company's risk-management framework, key risk-management policies and the Company's risk appetite and tolerance.
- Review adequacy of risk appetite that has been established for each area of enterprise risk.
- Receive and review regular reports from management and, on not less than a quarterly basis, from the Company's Chief Risk Officer, on risk-management deficiencies and emerging risks, the status of and changes to risk exposures, policies, procedures and practices, and the steps management has taken to monitor and control risk exposures.
- Receive and review periodic reports, on not less than an annual basis, from the head of CCOR on its independent assessment of asset quality, deficiencies in and adherence to credit-related policies, procedures and practices, and the steps management has taken to monitor and control credit risk exposure.
- Receive reporting on compliance with the Company's risk appetite and limit structure and risk-management policies, procedures and controls.
- Receive and review reports from the Company's internal audit function on the results of risk-management reviews and assessments.
- Approve the appointment and, when and if appropriate, replacement of the Company's Chief Risk Officer, who shall report directly to the Committee and administratively to the Company's Chief Executive Officer. Review the qualifications and performance of, and approve the compensation of, the Chief Risk Officer on an annual basis.
- Review and discuss with the Company's Chief Risk Officer whether corporate risk management has the appropriate resources, independence and authority to fulfill its risk-management responsibilities.
- Perform such other duties and functions required of the Committee pursuant to regulations adopted by the Federal Reserve from time to time that are applicable to the Company.
- Receive and review examination reports, as well as information regarding examinations and communications from regulators, to the extent that they relate to matters within the purview of the Committee.
Oversight of Capital Planning and Liquidity Risk-Management Activities
- Oversee the capital planning process, including periodic review of the risk infrastructure and significant capital resource and loss estimation methodologies, and highly critical inputs and assumptions; evaluation of capital goals; and assessment of the appropriateness of stress scenarios.
- Review and approve the acceptable level of liquidity risk that the Company may assume in connection with its operating strategies at least annually, taking into account the Company's capital structure, risk profile, complexity, activities and size.
- Receive and review reports from senior management on the Company's liquidity risk profile, liquidity risk management and liquidity risk tolerance at least quarterly (or more often, if changes in market conditions or the liquidity position, risk profile, or financial condition warrant); provided, however, that the Board shall receive and review at least semi-annually information provided by management to determine whether the Company is operating in accordance with its liquidity risk tolerance.
- Review and approve the Company's strategies, policies, and procedures designed to effectively manage the risk that the Company's financial condition or safety and soundness would be adversely affected by its inability or the market's perception of its inability to meet its cash and collateral obligations.
- Receive written reports from the Company's independent review function on material liquidity risk-management issues for corrective action, to the extent permitted by applicable law.
- Review the Company's annual capital plan, including planned capital actions.
- Receive and review documentation regarding the Company's methodology for making cash flow projections, including any assumptions.
- Review and approve the Company's contingency funding plan at least annually and approve any material revisions of the plan prior to the implementation of such revisions.
- Make such recommendations with respect to any of the above and other matters as the Committee deems necessary or appropriate.
- Have such other authority, duties and responsibilities as may be delegated to the Committee by the Board.
The Committee's authority, duties and responsibilities are discharged through evaluating reports given to the Committee and presentations made to the Committee by the Company's Chief Risk Officer and other members of management, and by other persons or organizations the Committee deems appropriate.
As Amended: May 11, 2023