2022 ESG Report Introduction ESG at Manulife Environmental Social Governance Corporate Governance Human Rights Risk Management Ethics and Compliance Tax Strategy Data Security and Privacy Executive Compensation Practices Responsible Product Governance Public Policy Performance Data Abbreviations and Acronyms Risk Management Summary of Our Approach • Our Board of Directors, assisted primarily by the BRC, oversees our risk management efforts, which is governed by a robust Enterprise Risk Management (ERM) framework. • Our Global Risk Management function maintains our ERM framework and oversees execution of risk management programs across the enterprise. • Our ERM framework is communicated through risk policies and standards, intended to enable consistent design and execution of strategies across the organization. Learn more: Risk Management Mitigating hazards and managing risk is critical to our day-to-day interactions with our customers and business operations. The activities required to achieve the firm’s mission involve elements of risk-taking. Responsible risk-taking is all about striking the right balance between taking risk where it is necessary and safeguarding our business and customers’ best interests. We have a common approach to managing all risks to which we are exposed and to evaluating potential directly comparable risk-adjusted returns on contemplated business activities. Three Lines of Defense Model We have a strong risk culture and a common approach to risk management, which includes a “three lines of defense” governance model that segregates duties among risk taking activities, risk monitoring, and risk oversight and establishes appropriate accountability for those who assume risk versus those who oversee risk. 1. Our first line of defense includes the Chief Executive Officer (CEO), Segment and Business Unit General Managers, Global Function Heads, and all business operations personnel, who are ultimately responsible for their business results, the risks they assume to achieve those results, and for the day-to-day management of the risks and related controls. 2. The second line of defense is composed of the company’s Chief Risk Officer (CRO), the Global Risk Management (GRM) function, the company’s Chief Compliance Officer and the Global Compliance function, and other global oversight functions. Collectively, this group provides independent oversight of risk taking and risk management activities across the enterprise. 3. The third line of defense is Audit Services, which provides independent, objective assurance that controls are effective and appropriate relative to the risk inherent in the business and that risk mitigation programs and risk oversight functions are effective in managing risks. 71