• In addition, an increase in the cost of reinsurance could also adversely affect our ability to write future business or result in the assumption of more risk with respect to policies we issue. Premium rates charged on new policies we write are based, in part, on the assumption that reinsurance will be available at a certain cost. Certain reinsurers may attempt to increase the rates they charge us for new policies we write, and for competitive reasons, we may not be able to raise the premium rates we charge for newly written policies to offset the increase in reinsurance rates. If the cost of reinsurance were to increase, if reinsurance were to become unavailable and if alternatives to reinsurance were not available, our ability to write new policies at competitive premium rates could be adversely affected. Operational Risk Operational risk is naturally present in all of our business activities and encompasses a broad range of risks, including regulatory compliance failures, legal disputes, technology failures, business interruption, information security and privacy breaches, human resource management failures, processing errors, modelling errors, business integration, theft and fraud, and damage to physical assets. Exposures can take the form of financial losses, regulatory sanctions, loss of competitive positioning, or damage to our reputation. Operational risk is also embedded in all the practices we use to manage other risks; therefore, if not managed effectively, operational risk can impact our ability to manage other key risks such as credit risk, market risk, liquidity risk and product risk. OperationalRiskManagementStrategy Our corporate governance practices, corporate values, and integrated enterprise-wide approach to managing risk set the foundation for mitigating operational risks. This base is further strengthened by internal controls and systems, compensation programs, and seeking to hire and retain trained and competent people throughout the organization. We align compensation programs with business strategy, long- term shareholder value and good governance practices, and we benchmark these compensation practices against peer companies. We have an enterprise operational risk management framework that sets out the processes we use to identify, assess, manage, mitigate and report on significant operational risk exposures. Execution of our operational risk management strategy supports the drive towards a focus on the effective management of our key global operational risks. We have an Operational Risk Committee, which is the main decision- making committee for all operational risk matters and which has oversight responsibility for operational risk strategy, management and governance. We have enterprise-wide risk management programs for specific operational risks that could materially impact our ability to do business or impact our reputation. LegalandRegulatoryRiskManagementStrategy Global Compliance oversees our regulatory compliance program and function, supported by designated Chief Compliance Officers in every segment. The program is designed to promote compliance with regulatory obligations worldwide and to assist in making the Company’s employees aware of the laws and regulations that affect it, and the risks associated with failing to comply. Segment Compliance groups monitor emerging legal and regulatory issues and changes and prepare us to address new requirements. Global Compliance also independently assesses and monitors the effectiveness of a broad range of regulatory compliance processes and business practices against potential legal, regulatory, fraud and reputation risks, and allows significant issues to be escalated and proactively mitigated. Among these processes and business practices are: privacy (i.e. handling of personal and other confidential information), sales and marketing practices, sales compensation practices, asset management practices, fiduciary responsibilities, employment practices, underwriting and claims processing, product design, the Ethics Hotline, and regulatory filings. In addition, we have policies, processes and controls in place to help protect the Company, our customers and other related third parties from acts of fraud and from risks associated with money laundering and terrorist financing. Audit Services, Global Compliance and Segment Compliance personnel periodically assess the effectiveness of the system of internal controls. For further discussion of government regulation and legal proceedings, refer to “Government Regulation” in MFC’s Annual Information Form dated February 15, 2023 and note 19 of the 2022 Annual Consolidated Financial Statements. BusinessContinuityRiskManagementStrategy We have an enterprise-wide business continuity and disaster recovery program. This includes policies, plans and procedures that seek to minimize the impact of natural or human-made disasters, and is designed to ensure that key business functions can continue normal operations in the event of a major disruption. Each business unit is accountable for preparing and maintaining detailed business continuity plans and processes. The global program incorporates periodic scenario analysis designed to validate the assessment of both critical and non-critical units, as well as the establishment and testing of appropriate business continuity plans for all critical functions. The business continuity team establishes and regularly tests crisis management plans and global crisis communications protocols. We maintain off-site data backup facilities and/or failover capabilities as required to manage the risk of downtime and to accelerate system recovery when needed. Technology&InformationSecurityRiskManagementStrategy Our Technology Risk Management function provides strategy, direction, and oversight and facilitates governance for all technology risk domain activities across the Company. The scope of this function includes: reducing information risk exposures by introducing a robust enterprise information risk management framework and supporting infrastructure for proactively identifying, managing, monitoring and reporting on critical information risk exposures; promoting transparency and informed decision-making by building and maintaining information risk profiles and risk dashboards for Enterprise Technology & Services and segments aligned with enterprise and operational 78 | 2022AnnualReport | Management’sDiscussionandAnalysis