Information Technology Committee Charter Bank of Queensland 31 May 2018 1
1 Purpose The Information Technology Committee (Committee) has been established by the Bank of Queensland Limited (BOQ) Board with the purpose of: (a) assisting the Board in fulfilling its corporate governance and oversight responsibilities for the BOQ Group s investments, operations and strategy in relation to digital, technology and information systems; and (b) reporting to the Board and providing appropriate advice and recommendations on matters covered by this Charter, in order to facilitate decision making by the Board. A reference to the BOQ Group in this Charter means BOQ and each of its subsidiaries. A reference to Technology in this charter encompasses both Digital and Information Technology. For the avoidance of doubt, the Committee discharges the above responsibilities in relation to the Company and, as applicable, the entities it controls (the Group). 1.1 Role of the Committee The Committee provides assistance and makes considered recommendations to the Board by: (a) Reviewing and recommending to the Board, management's strategies relating to technology and their alignment with the Group's overall strategy and objectives; (b) Reviewing and monitoring Management's strategies for developing or implementing new technologies and systems; (c) Increasing awareness of key technology changes and innovations in the marketplace; (d) Reviewing and recommending to the Board new technology investments above $5 million in capital expenditure value, and monitoring and reviewing the post implementation results of all key technology projects; (e) Reviewing and recommending to the Board management's strategies for sourcing of major technology suppliers and monitoring the technology governance framework for third party suppliers; (f) Reviewing and monitoring the effectiveness of the IT Risk Management and Security plan (including advising the Board Risk Committee on matters of Technology Risk and Cyber Security); and (g) Improving the efficiency of the Board by taking responsibility for technology tasks delegated to the Committee where such tasks should be discussed in sufficient depth. 2 Membership 2.1 Composition (a) The Committee must comprise of a minimum of three independent non-executive members of the Board of Directors. (b) Members will be given the opportunity to attend technical or professional development courses to assist them in keeping up to date with technological, legislative, regulatory or other relevant issues. (c) Membership of the Committee will be reviewed by the Board on an annual basis. (d) Each member of the Committee must dedicate the necessary time and attention to Committee meetings. (e) The duties and responsibilities of a member of the Committee are in addition to those set out for a member of the Board. 2
(f) The Managing Director & CEO, Group Executive Chief Digital & Innovation Officer and Chief Risk (g) Officer may be invited to attend meetings as required. Other Management personnel may also be invited to attend meetings as required. The Committee may request certain parties to withdraw from any part of a meeting. (g) BOQ s Company Secretary or his/her designated representative shall be appointed Secretary to the Committee. 2.2 Chair of the Committee The Chair of the Committee will be an independent non-executive Director of BOQ and be appointed by the Board. The Chair of the Committee is involved in: (a) (b) the selection process for the appointment of the Group Executive Chief Digital & Innovation Officer for BOQ and recommending to the Board the chosen candidate for the position; and Liaising with the Managing Director & CEO regarding any plans for dismissal of the incumbent Group Executive Chief Digital & Innovation Officer. The Committee Chair will chair Committee meetings. In the absence of the Committee Chair (or his or her properly appointed delegate), the members will elect one of their number as Chair of that meeting. 3 Meetings 3.1 Quorum A quorum will consist of at least 2 independent non-executive directors. 3.2 Agenda (a) The agenda for Committee meetings will be prepared by the Company Secretary and approved by the Committee Chair. (b) The agenda will include those items required by the Committee Charter and such other items as are requested by Committee members or management and approved by the Committee Chair. (c) The agenda and supporting papers are to be delivered to Committee members by the Company Secretary at least seven (7) days in advance of each meeting. Late papers may be accepted only with the consent of the Committee Chair. 3.3 Scheduling and Notice (a) The Committee will meet as often as required to undertake its role effectively, but no less than four times per financial year on dates determined by the Committee Chair or more frequently if required as determined by the Committee Chair. (b) Any Committee member may call a Committee meeting at any time. On the request of a Committee member, the Company Secretary must convene a meeting of the Committee. (c) The Company Secretary will provide adequate notice to all members of the Committee of all meetings. 3
3.4 Voting (a) Meetings are governed by the provisions of the Company s constitution regulating directors meetings. (b) Wherever possible, the Committee should seek determine matters before the Committee by consensus. If the Committee is unable to reach a consensus on a matter, this will be recorded in the Committee minutes and the Committee Chair will advise the Board of the range of views held by members of the Committee on the issue. (c) Any person with a material personal interest in a matter being considered by the Committee must not be present when that matter is considered by the Committee. (d) For the avoidance of doubt, decisions of the Committee may be made at a duly called and constituted meeting or otherwise agreed by Committee members in accordance with those provisions of the Company constitution governing written resolutions. 3.5 Additional Attendees (a) Members of the Board who are not Committee members are entitled to attend Committee meetings but cannot vote on any matters being considered by the Committee. For the avoidance of doubt, all Committee papers are available to all members of the Board subject to the Company s rules in relation to conflicts of interests, as amended from time to time. (b) The Committee may, if it deems appropriate, invite to the Committee meeting, or hold private meetings with such advisers or management personnel as the Committee may require. 3.6 Minutes (a) Minutes are to be prepared for each Committee meeting. (b) The draft minutes of each meeting are to be reviewed by the Committee Chairman and circulated to all Committee members by the Company Secretary as soon as practicable but no later than the distribution date for the papers for the next Committee meeting. (c) The Committee must confirm the minutes of each Committee meeting at its next meeting. (d) A copy of the minutes, once they have been approved by the Committee, must be signed by the Committee Chairman and made available to the Company s Board. 3.7 Expert Advice The Committee has the right to seek independent professional advice in connection with carrying out its duties at the Company s expense. Prior written approval from the Chairman of the Board is required prior to seeking such professional advice. 4 Reporting The Committee will report to the Board about Committee activities and make recommendations to the Board on matters relevant to the Committee s purpose. The Committee will prepare any reports required by law, the ASX Listing Rules or otherwise requested by the Board. 5 Responsibilities The Committee will recommend to the Board the Group s Information Technology strategy and its implementation, together with relevant policies. To facilitate its oversight, the Committee will receive information from Management (and external advisors) in relation to the following matters. These matters are not exhaustive and may change from time to time. The details below reflect the information and activities necessary to support the objectives above. 4
5.1 Technology Strategy and Innovation The Committee will review and report to the Board on: (a) The Group's technology strategy with respect to a 3-5 year horizon; (b) Sourcing strategies for the Group s selection and evaluation of the performance of its key external technology suppliers; and (c) Emerging global technologies and trends and their potential for application within the Group, including educating the Committee through meetings with experts and education visits to key technology partners and industries. 5.2 Technology Operating Model and Governance Oversight and responsibility of the Technology Governance and Operating Model which describes the operating structure, governance structure and key accountabilities for technology and the business. 5.3 Technology Investment Oversight The Committee will review and report to the Board on: (a) (b) (c) Proposals for all technology investments over $5 million in capital value or categorised as high risk, including understanding the balance of the overall investment portfolio across risk and return; Post implementation reviews of all key projects that involve technology investment, including the achievement of expected benefits and return on investment and management of the risk profile; and The carrying value of IT Assets - the Committee will advise the Audit Committee half yearly of any issues regarding the carrying value of IT Assets, including any impairment. 5.4 Technology Operating Performance The Committee will review and report to the Board on the strategic benchmarking of technology performance against external peer groups from time to time. 5.5 Technology Risk, Security and Cyber Security (a) The Committee will review and report to the Board on: (i) The effectiveness of Disaster Recovery plans and Disaster Recovery testing; (ii) Key technology security strategies and policies; (iii) Key technology risks and technology risk mitigation strategies, including the overall technology risk profile of the Group; and (iv) The overall profile of technology audit issues for the Group (the Audit Committee will continue to remain responsible for individual IT Audit reports). (b) With respect to Cyber Security, the Committee will: (i) provide commentary to the Risk Committee on appropriateness of IT and Cyber Security Risk Appetite 5
(ii) provide oversight and management of IT and Cyber Security Risks (primary responsibility); (iii) receive periodic deep dives on Cyber Security (joint responsibility with the Risk Committee); (iv) receive and review first line management reports on IT and Cyber Security Risk; (v) receive and review third line audit reports on IT and Cyber Security Risk; (vi) review major IT and Cyber Security incidents; and (vii) review and recommend the Cyber Security Investment Portfolio and Roadmap to the Board. (c) For clarity, the Risk Committee will remain responsible for second line of defence reports and reviewing first and third line of defence reports as part of the enterprise risk profile and in reviewing the enterprise risk management framework. 5.6 Other Responsibilities The Committee will refer to the Audit Committee or Risk Committee any matters that have come to the attention of the Committee that are relevant for noting or consideration, or which should be dealt with by, the Audit Committee or Risk Committee. 6 Annual Review 6.1 Committee Performance The Committee will undertake an annual review of its performance against the requirements of this Charter and provide that information to the Board along with any recommendations resulting from the review. 6.2 Committee Charter Review This Charter supersedes any charter or terms or reference previously in force. Any modifications to or replacements of this Charter must be approved by the Board. The Committee will review this Charter at least once per annum. The next scheduled review is May 2019. 7 Definitions and Interpretation 7.1 Definitions ASX means ASX Limited ACN 008 624 691 and the exchange operated by it. Board means the board of directors of Bank of Queensland Limited. Company means the Bank of Queensland Limited, ABN 32 009 656 740. Corporations Act means the Corporations Act 2001 (Cth) as amended from time to time. Director means a director of the Company or its subsidiaries. Listing Rules means the listing rules of the ASX. Technology means information technology and includes, without limitation, digital and innovation technologies. 6
7.2 Interpretation Concepts not defined in this document which have a meaning in the Corporations Act or the Listing Rules have that same meaning in this document. 7