Governance at Manulife Each director, other than the Chair of the Board, sits on two committees. There is cross-membership between the management resources and compensation committee and the risk committee, and the corporate governance and nominating committee and the audit committee, which adds depth to committee deliberations. The audit committee and risk committee have at least one joint meeting every year. The board meets directly with OSFI, our principal regulator, every year, and there are regular meetings between the Chair of the Board and OSFI throughout the year. Enterprise risk management (ERM) framework Our ERM framework provides a structured approach to risk-taking and risk management activities across the enterprise, supporting our long-term revenue, earnings, and capital growth strategy. It is communicated through risk policies and standards, which are intended to enable consistent design and execution of strategies across the organization. We have a common approach to managing all risks we are exposed to, and to evaluating potential directly comparable risk-adjusted returns on contemplated business activities. Our risk management practices are influenced and impacted by external and internal factors (such as economic conditions, political environments, technology and risk culture), which can significantly impact the levels and types of risks we might face in pursuit of strategically optimized risk-taking and risk management. Our ERM framework incorporates relevant impacts and mitigating actions as appropriate. As part of our ERM framework, we have a compensation risk framework in place to support the governance and design of controls for the risks associated with the compensation program. Our compensation programs are assessed against this framework every year. The enterprise-wide information security program, which is overseen by the Chief Information Risk Officer, seeks to mitigate information security risks. This program establishes the information and cyber security framework for the company, including governance, policies and standards, and appropriate controls to protect information and computer systems. We also have ongoing security awareness training sessions for all employees. Compliance and reporting Management oversees the principal risks and implementation of controls to manage risk, and regularly assesses whether there are any material deficiencies. They update the board on our principal risks at least quarterly. Controls and certifications We update our risk policies, risk management processes, internal controls and management information systems regularly to make sure they match our risk profile and comply with regulatory requirements. We also perform stress testing on an ongoing basis to support the way we identify, assess and mitigate risk. The CEO and CFO certify our disclosure controls and procedures, annual financial statements and quarterly financial statements, among other things, to meet legal and regulatory requirements. 4 — LEADERSHIP DEVELOPMENT AND SUCCESSION The management resources and compensation committee reviews our approach to human resources, talent management, compensation and the succession planning process for senior executives. Diversity We value a high performing workforce that reflects the diversity of our customers and the communities where we operate. We believe that a diverse workforce, especially in leadership roles, can enhance performance, foster innovation and improve business results. We are committed to developing a more diverse and inclusive workforce that is more representative of our customer base and has more women and Black, Indigenous, and People of Colour (BIPOC) in leadership positions. 2023 Management information circular 121