The Role of the Board in Enterprise Risk Management 2016 NCFC Annual Meeting Director's Education Conference The Role of the Board in Enterprise Risk Management February 12, 2016 Confidential – Not for Distribution

Agenda 1) ERM Principles and Practice by Mike Mahaffey (45 minutes) Enterprise Risk Management Risk Governance Key Considerations for Directors 2) Panel discussion with Nationwide Board Directors (30 minutes) Tim Corcoran, Dan Kelley, and Mike Toelle 3) Q&A (15 minutes) 4) Table discussions on ERM principles and application (30 minutes) 5) Table recaps, Q&A, wrap up (15 minutes)

ERM Principles and Practice 2016 NCFC Annual Meeting Director's Education Conference ERM Principles and Practice Mike Mahaffey, Chief Strategy & Chief Risk Officer Confidential – Not for Distribution

Evolution of Enterprise Risk and Capital Management State of Practice Over the Last 10 Years State of Practice for the Next 5-10 Years Value Optimization Strategic Integration Integrated Risk Mngmt. Link with Strategy Risk Measurement Loss Minimization Compliance Risk control Balance sheet protection Risk / return optimization Value creation

Enterprise Risk and Capital Management Framework Risk appetite Identify & assess risks Link to strategy Capital Manage- ment Risk measure- ment Risk governance & culture Scenario analysis Monitoring & reporting

Risk Categorization Is the risk taken primarily for financial gain, or a by-product of the pursuit thereof? “Financial” Risks “Non-Financial” Risks High Velocity Shock Risks “Capital” Risks Equity shocks Credit defaults Weather Earthquakes Terrorism “Operational” Risks Cyber Security Business Continuity Fraud Reputational Crisis Does the risk impact the company quickly, or over a prolonged period of time? Low Velocity Trend Risks Long Term “Scenario” Risks Prolonged low rates Climate change Inflation Longevity “Strategic” Risks Technology / competitive disruption Societal shifts Regulatory Geopolitical instability

Governance Roles: The Board and Senior Management Approves of company strategy Selection of firm leadership Stewards of company’s culture and values Approves risk appetite in context of strategy Ensures effective governance framework Approve compensation system to drive results Board (Oversight) (Execution) Develops and implements strategy and risk appetite (recommend to Board) Ensures effective system of internal controls Drive execution of strategy Responsible for understanding, taking, managing, and reporting on risk posture Management

Risk Governance Model A clear distinction between risk owners, risk oversight and support and independent risk assurance is a critical requirement for a successful ERM function and to meet the governance expectations of stakeholders. Board of Directors Ultimate Accountability and Oversight Committee A Committee B Audit Committee Enterprise Risk Council Risk policy, governance, appetite (recommend to Board) 1. Businesses (Risk Takers) Identify and Assess Risk Take Risk Manage Risk Report on Risk Exposures Accountable for Risk Results 2. Risk Management Organization(s) Risk Policy and Standards Aggregation and Analysis Governance Process Monitoring and Reporting 3. Independent Assurance Validation of controls effectiveness Review of risk framework design Assurance to Management and Board on assertions of risk

Board risk governance structural options What you have to believe… Full Board ERM is an accountability for all directors Regular reports to the entire Board will be sufficient Full Board has capacity Audit Committee Centralization promotes effective oversight Can be achieved despite other significant committee responsibilities Existing responsibilities provide solid foundation for risk coverage Risk Committee Sufficient capacity and appropriate skills for all types of risk Necessary for integrated view of all risk Will evidence commitment to risk management Risk responsibilities in other committees could be merged Distributed Model Required for adequate coverage of distinct risks Audit Committee is already overloaded Potential overlap will be minimal and/or effectively coordinated Aggregate view at Board through escalation, communication, reporting

Board distributed risk oversight model Risk Dimension Board of Directors Ultimate Accountability Finance Committee Business Transformation & Technology Human Resources Committee Program & Technology Risk Financial Risk People Risk Governance Committee Board Risk Oversight Model / Process Coordination / Collaboration Coordination / Collaboration Coordination / Collaboration Process Dimension Audit Committee Management Control Environment Coordination / Collaboration Coordination / Collaboration Coordination / Collaboration

Board Directors: Key Considerations Strategy Ensure clear linkage with risk Tolerance Clearly defined risk appetite and limits Supported with courage / conviction to comply Transparency Reporting, monitoring, and open communications Making the complex simple (but not overly so) Stress Testing Make use of simulations and scenario analysis Make the unknown known Culture Importance of honest, direct, candid discussion Avoid “good news” only culture Oversight Different roles of management vs. the board

Panel Discussion with NW Board Members 2016 NCFC Annual Meeting Director's Education Conference Panel Discussion with NW Board Members Tim Corcoran, Dan Kelley, and Mike Toelle Confidential – Not for Distribution

Board distributed risk oversight model Risk Dimension Board of Directors Ultimate Accountability Finance Committee Business Transformation & Technology Human Resources Committee Program & Technology Risk Financial Risk People Risk Governance Committee Board Risk Oversight Model / Process Coordination / Collaboration Coordination / Collaboration Coordination / Collaboration Process Dimension Audit Committee Management Control Environment Coordination / Collaboration Coordination / Collaboration Coordination / Collaboration

Exhibit 1: Crisis Management Preparedness Governance Process Practice Governance Committee of the Board (Board level accountability) Crisis Management Executive Steering Committee (Management level responsibility) Crisis Directors pre-appointed by nature of event Crisis management response plans for all operational areas Board, executive, and line of business crisis guides / wallet cards Nationwide Alert System: automated crisis management notification system Virtual and Physical Command Centers Full Board crisis management simulations (fraud, physical disruption, etc.) Executive crisis management simulations (weather disruption, terrorist attack, financial event, reputational event, other operational disruptions, etc.) Lessons learned and process improvement

Exhibit 2: Board Governance - Dashboards Create transparency Clearly defined goals / objectives Clearly defined performance thresholds Evaluate short and long-term performance (and risks thereto) Drive effective dialogue & action

Exhibit 3: Coordinating Oversight Responsibilities Finance Committee Financial Strategy Risk and Capital Coordinating Linkage Between: Budgeting Planning Performance Measurement Incentive Plan Design Special Captive Committee Limited duration Joint committee membership Internal Controls Legal and Regulatory HR Committee Audit Committee

Exhibit 3: Coordinating Oversight Responsibilities Business Transformation & Technology Committee Coordinating Linkage Between: Capital Allocation Budgeting Planning Performance Measurement Expense Management Operational Risk Controls, including: Financial Reporting Controls Cyber Security Regulatory Compliance Finance Committee Audit Committee

Table Discussion: Applying Principles of ERM 2016 NCFC Annual Meeting Director's Education Conference Table Discussion: Applying Principles of ERM Confidential – Not for Distribution

Enterprise Risk Management and Your Cooperative Identify 1 – 2 issues per quadrant Step 1 What is your oversight structure? Identify who is looking at these issues. Step 2 Define the critical success factors to address/mitigate these risks. What can you do to enhance the effectiveness of the process: communication, decision making, engagement with management, etc. Step 3

Risk Categorization “Capital” Risks “Operational” Risks Long Term “Scenario” Risks “Strategic” Risks High Velocity Shock Risks Low Velocity Trend Risks “Financial” Risks “Non-Financial” Risks Is the risk taken primarily for financial gain, or a by-product of the pursuit thereof? Does the risk impact the company quickly, or over a prolonged period of time?