Board IT and Resilience Committee members

Gunn Waersted (Chair), Albert Hitchcock, Phil Rivett and Tamara Rajah.

Board IT and Resilience Committee Terms of Reference

16 March 2022

1. Purpose

1.1 The purpose of the Board IT and Resilience Committee (“the Committee”) is to provide oversight and advice to the Board in respect of IT strategy, IT investment, IT architecture, IT operating model effectiveness, delivery performance and resilience controls, including cyber risk, as well as overseeing the Society’s data management strategy.

1.2 The Committee reports formally to the Board and/or the Board Risk Committee, as set out below, on those matters after each meeting. The Board Risk Committee retains overall responsibility for providing oversight and advice to the Board on all risk matters as set out in section 9 of its Terms of Reference.

2. Authority

2.1 The Committee is a Committee of the Board from which it derives its authority and to which it regularly reports.

2.2 The Committee has delegated authority from the Board in respect of its functions and responsibilities as set out in these Terms of Reference.

2.3 The Committee may sub-delegate any or all of its powers and authority as it sees fit, including, without limitation, the establishment of sub-committees to analyse particular issues and to report back to the Committee.

2.4 The Committee has authority to oversee any investigation of activities relating to the Society which are within its Terms of Reference.

2.5 The Committee is to authorised seek any information it requires from any employee of the Society in order to perform its duties or call any employee to be questioned at a meeting of the Committee as and when required.

2.6 The Committee may obtain, at the Society’s expense, external legal or other professional advice on any matter within its Terms of Reference.

2.7 The Committee Chair and the Society Secretary are authorised by the Board to review and approve any non-material change required to be made to the Committee’s Terms of Reference. Any such change should be reported to the Board.

3. Membership

3.1 Members of the Committee shall be appointed by the Board, on the recommendation of the Nomination and Governance Committee in consultation with the Chair of the Committee.

3.2 The Committee shall be made up of at least three independent non-executive Directors of the Society.

3.3 The Board shall appoint the Committee Chair who shall be an independent non-executive Director.

3.4 In the absence of the Committee Chair and/or an appointed deputy, the remaining members present shall elect one of themselves to chair the meeting.

3.5 The Chair of the Board shall not be a member of the Committee.

3.6 Appointments to the Committee shall be for a period of up to three years, which may be extended for a further three-year period (or, in exceptional circumstances, two such periods).

3.7 Only the members of the Committee have the right to attend Committee meetings. Other individuals such as the Chief Executive Officer, the Chief Operating Officer, external advisers, and their representatives may be invited to attend all or part of any meeting as and when appropriate.

4. Secretary

4.1 The Society Secretary or their nominee shall act as the Secretary of the Committee and will ensure that the Committee receives information and papers in a timely manner to enable full and proper consideration to be given to the issues.

5. Quorum and mode of meetings

5.1 The quorum necessary for the transaction of business shall be two members, one of whom shall be the Chair or their nominated deputy.

5.2 A duly convened meeting of the Committee at which a quorum is present shall be competent exercise all or any of the authorities, powers and discretions vested in or exercisable by the Committee.

5.3 In the event of difficulty in forming a quorum, independent non-executive Directors of the Society who are not members of the Committee may be co-opted as members for individual meetings.

5.4 A decision of the Committee may be taken by written resolution including electronic means. A decision may not be taken in accordance with this provision if the members of the Committee would not have formed a quorum at a meeting.

5.5 The members of the Committee shall be deemed to meet together if they are in separate locations, but are linked by conference telephone, video or other communication equipment. For the avoidance of doubt, a quorum in that event shall be as set out in 5.1 above. Such a meeting shall be deemed to take place where the largest group of members of the Committee participating is assembled or, if there is no such group, where the Chair is located.

6. Frequency of meetings

6.1 The Committee shall meet at least four times a year and otherwise as required.

7. Notice of meetings

7.1 Meetings of the Committee shall be called by the Secretary of the Committee at the request of any of its members or at the request of external or internal auditors if they consider it necessary.

7.2 Unless otherwise agreed, notice of each meeting confirming the venue, time and date together with an agenda of items to be discussed, shall be forwarded to each member of the Committee and any other person required to attend, no later than three working days before the date of the meeting.

7.3 Supporting papers shall be sent to Committee members and to other attendees as appropriate, at the same time.

8. Minutes of meetings

8.1 The Secretary of the Committee shall minute the proceedings and resolutions of all meetings of the Committee, including recording the names of those present and in attendance.

8.2 The Secretary of the Committee shall record any conflict of interests reported at the meeting.

8.3 Draft minutes of Committee meetings shall be circulated promptly to all members of the Committee and, once agreed, to all members of the Board (unless in the opinion of the Committee Chair it would be inappropriate to do so).

9. Duties and responsibilities

The Committee shall:

9.1 Oversee Nationwide’s Technology Strategy (including strategic investment), IT Architecture and associated execution and delivery, endorsing it for approval by the Board, and considering future technological development and trends;

9.2 Oversee Nationwide’s IT operating model effectiveness, including organisational structure and capabilities related to technology and transformation, on behalf of the Board. The Committee will report its findings to the Board;

9.3 Oversee Nationwide’s IT, Business Protection and Business Continuity risk categories1 (as defined in the Enterprise Risk Management Framework – ERMF) and IT and resilience issues from the other risk categories of the ERMF including oversight and challenge of the day-to-day risk, control and oversight arrangements of the executive, including the effectiveness of the control environment;

9.4 On behalf of the Board Risk Committee provide oversight to ensure that the impact of IT strategies and IT service delivery performance is understood in the context of the Society’s risk appetite and that risk mitigation is in place where appropriate1;

9.5 Oversee the design and simplification of Nationwide’s framework of IT systems and controls on behalf of the Board and the Board Risk Committee;

9.6 Oversee Nationwide’s Cyber Risk and cyber programme delivery.1 The Committee is responsible for reporting to the Board Risk Committee on Cyber Risk;

9.7 Oversee Nationwide IT Service delivery performance and IT related Major, Critical or Severe Incidents including Nationwide’s IT disaster recovery strategy, planning, execution and lessons learned from any significant incidents, as well as reporting to the Board Risk Committee on any such Service delivery performance and Incidents; and

9.8 Oversee and approve Operational Resilience and Security Strategy on behalf of the Board.

10. Reporting responsibilities

10.1 The Committee Chair shall report formally to the Board or the Board Risk Committee on its proceedings after each meeting on all matters within its duties and responsibilities including to the Board Risk Committee on all risks and controls relating to IT risks and resilience matters including Data and Cyber along with any other matters of interest to the Board Risk Committee.

10.2 The Committee shall make whatever recommendations to the Board it deems appropriate on any area within its remit where action or improvement is needed.

10.3 A report to members on the Committee’s activities is to be included in the Society’s Annual Report and Accounts. The report shall include a description of the significant issues dealt with by the Committee.

10.4 Where any disagreements between the Board or the Board Risk Committee and the Committee cannot be resolved, the Committee has the right to report the issue to members as part of its activities in the Annual Report and Accounts.

11. Decision Making And Senior Manager & Certification Regime Responsibilities

11.1 All members of the Committee are responsible for and bound by the decisions taken by the Committee whether or not they actively supported or participated in the decisions although dissent can be recorded.

11.2 A member of the Committee who is a Senior Management Function (SMF) Holder under the Senior Manager and Certification Regime (SMCR) remains individually accountable for their contributions to collective decisions and their implementation insofar as those contributions are in scope of their Senior Manager responsibilities and therefore they also remain accountable for taking reasonable steps in respect of their function and allocated responsibilities.

12. Annual General Meeting

12.1 The Chair of the Committee or a deputy chosen from the Committee membership shall attend the Annual General Meeting, prepared to respond to any member questions on the Committee's activities or any matter within the remit of the Committee.

13. Miscellaneous

The Committee shall:

13.1 give due consideration to applicable laws and regulations, including the Prudential Regulation Authority and Financial Conduct Authority’s Principles and Rules, the UK Listing Authority’s Listing Rules and Disclosure Guidance and Transparency Rules, the Building Societies Act 1986 and to the recommendations of the UK Corporate Governance Code, as appropriate;

13.2 be cognisant of the conduct risks arising (or increasing) as a result of their judgements, taking proactive steps to avoid or prevent these where possible;

13.3 work and liaise as necessary with all other Board Committees as required;

13.4 have access to sufficient and precise resources in order to carry out its duties, including access to Nationwide’s Secretariat for assistance as required;

13.5 receive appropriate and timely training relevant to its activities, both in the form of induction training for new members and on an ongoing basis for all members; and

13.6 at least once a year, to review its own performance, constitution and Terms of Reference to ensure it is operating effectively and in line with PRA and FCA requirements, and report the results of this review and recommend any changes necessary to the Board for approval.

13.7 For the purposes of these Terms of Reference, “the Society” shall mean Nationwide Building Society; “Nationwide” shall mean Nationwide Building Society and its subsidiaries

1 Board Risk Committee retains overall responsibility for Board oversight of all risks, and the recommendation and monitoring of Board Risk Appetite metrics for all risk categories, including IT-related risk categories.