NEX GROUP plc ( NEX / the Company ) RISK COMMITTEE OF THE NEX GROUP PLC BOARD TERMS OF REFERENCE OF THE RISK COMMITTEE (the Committee ) (Approved on and effective from 1 February 2018) Membership 1. The Risk Committee shall consist of such independent non-executive directors as shall be appointed from time to time by the board on the recommendation of the Nomination Committee in consultation with the Chairman of the Risk Committee, pursuant to the Articles of Association of the Company. The Committee shall consist of not less than three members. Membership shall include at least one member of the Audit Committee. 2. A quorum shall be two members. 3. The Chairman of the Risk Committee, who shall be appointed by the board, shall have a casting vote on all matters in the event of an equality of votes. 4. The Group Company Secretary shall be the Secretary of the Risk Committee. Attendance at Meetings and Voting 5. The Chief Financial Officer, the Group Chief Operating Officer, the Group Head of Risk, the Group Head of Compliance, the Group Head of Internal Audit, Chairman of the board and Group General Counsel are normally expected to attend all meetings of the Committee. A representative of the external auditors will only be invited to attend the meetings where the non-executive directors require the auditors views on some risk matters. The Risk Committee shall be entitled to invite non-members to attend for a particular meeting or a particular agenda item. At least twice a year, the Risk Committee will meet the Group Head of Internal Audit without any executive director or management present. p.1/5
The Group Head of Risk will present his assessment of NEX Group s risks and threats to the Risk Committee at least twice a year without any executive director or management present. The Chief Information Security Officer will present an annual assessment of NEX Group s security risks without any executive director or management present. Chief Information Security Officer dual reporting 6. The Chief Information Security Officer (CISO) has a dual reporting line: a) to the Risk Committee, with ad hoc reporting at the request of the Committee and a formal written annual report, and b) to the COO for routine, day-to-day oversight. The CISO has free and unrestricted access to the Chair of the Risk Committee. This provides a direct channel for urgent and/or major findings and a route for the CISO to raise concerns regarding any potential compromise of the integrity of the CISO role. The CISO will also have ad hoc meetings with the Chair of the Risk Committee to provide briefings on information security. Frequency of Meetings 7. Meetings shall follow the schedule of full board meetings, i.e. be held not less than six times a year and where appropriate meetings should coincide with key dates in the Group s cycle for reviewing its risks and setting/ reviewing its annual strategy as well as considering the Group s reporting cycle. 8. The Group Head of Internal Audit, the Group Head of Risk and the Group Head of Compliance may request a meeting if they consider that one is necessary. Authority 9. The Risk Committee is authorised by the board: (a) to investigate any activity within its Terms of Reference. It may seek any information it requires from any employee, and all employees are directed to co-operate with any request made by the Risk Committee; p.2/5
(b) to obtain outside legal or other independent professional advice, and to secure the attendance of outsiders with relevant experience and expertise, if it considers this necessary or advisable, at the Group s expense. Duties 10. The Risk Committee should carry out the duties below for NEX Group, its major subsidiary undertakings and the NEX Group as a whole, as appropriate. 10.1 To review the quality and effectiveness of the Group s risk management framework, in particular to ensure that the key risks of the Group (including emerging threats) are properly assessed and mitigated. 10.2 To monitor the mechanisms of internal control of those areas of risk identified throughout the Group. For clarity, it remains the ultimate responsibility of the NEX Group plc board to ensure overall identification, monitoring and control of risk within the Group. 10.3 To review and approve the risk appetite methodology, including the high level principles for setting limits, to review the assumptions and the model used in the methodology and to approve external disclosures. 10.4 To ensure that the Group Head of Risk and the Group Head of Compliance Officer and the risk and compliance functions are independent from the business and free to conduct their activities without management constraint. 10.5 To approve the appointment or dismissal of the Group Chief Risk Officer and the Group Chief Compliance Officer. 10.6 To make recommendations to the Remuneration Committee regarding the compensation of the Group Head of Risk and the Group Head of Compliance. 10.7 To review management s and the internal auditor s reports on the effectiveness of systems of control and risk management as part of integrated assurance. 10.8 To monitor and review the effectiveness of the Group s internal audit function and to review the internal audit programme as part of integrated assurance, ensure co-ordination between the internal auditors and each of p.3/5
the risk and compliance functions and ensure that the internal audit function has adequate resources and has appropriate standing within the Group. 10.9 To consider the major findings and recommendations of the internal auditors. 10.10 To review and approve the risk section of the Group s annual report. 10.11 To establish the high-level objectives of the Group risk and compliance teams and review performance against these objectives with the Group Head of Risk and the Group Head of Compliance twice a year. 10.12 To review the key risk reports of the Group and provide a robust challenge to the Group Head of Risk, the Group Head of Compliance and the Chief Information Security Officer. 10.13 To monitor and review the effectiveness of the Group s Information Security, as part of an integrated assurance programme, co-ordinating the risk, compliance, information security and internal auditor functions, and ensuring Information Security has adequate resources and appropriate standing within the Group. 10.14 To satisfy itself that due diligence has been carried out properly in respect of the impact of strategic transactions on the risk profile of the Group and that all relevant facts and information on risk and reward are presented to the board for discussion. 10.15 To advise the board on the Group s overall risk appetite, tolerance and strategy, taking into account the current and prospective macroeconomic assessments that may be relevant to the Group s risk policies. 10.16 To advise the board on the current risk exposures of the Group and future risk strategy. 10.17 To refer matters to the board, which - in its opinion - should be addressed at a meeting of the board. 10.18 To review the Group s procedures for handling allegations from whistleblowers. p.4/5
Reporting Procedures 11. The Secretary shall circulate the minutes of meetings of the Risk Committee to all members of the board. 12. The Committee members shall conduct an annual review of their work and their terms of reference and make recommendations to the board. 13. The Committee s duties and activities during the year shall be disclosed in the annual financial statements. 14. The Chairman of the Committee or, as a minimum, another member of the Committee, shall attend the board meeting at which the accounts are approved. 15. The Chairman of the Risk Committee shall attend the Company s annual general meeting to answer questions about the Committee s activities and responsibilities. p.5/5