CHARTER OF THE RISK COMMITTEE
OF THE BOARD OF DIRECTORS
The purpose of the Risk Committee (the "Committee") of the Board of Directors (the "Board") of CrossFirst Bankshares, Inc. (the "Company") is to assist the Board in its oversight of the enterprise-wide risk management of the Company and its subsidiaries, specifically:
• oversight of the Company's enterprise-wide risk management policies;
• oversight of the operation of the Company's enterprise-wide risk management framework;
• review of changes to the Company's risk profile; and
• oversight of the Company's compliance with its risk appetite statement.
II. Structure and Membership
1. Members. The Committee shall consist of at least three members of the Board, as determined from time to time by the Board.
2. Independence. Each member of the Committee shall: (a) be an "independent director" as defined by applicable rules of the Nasdaq Stock Market; and (b) meet any other requirements imposed by applicable laws, rules and regulations.
3. Risk Assessment Experience. At least one member of the Committee shall have experience identifying, assessing and managing risk exposure of large, complex firms.
4. Chair. The Board shall designate the Chair of the Committee.
5. Compensation. The compensation of Committee members shall be as determined by the Board.
6. Appointment and Removal. The Company's Bylaws shall govern the processes and procedures for the appointment and removal of members of the Committee; provided, that members of the Committee shall be appointed by the Board based upon the recommendation of the Corporate Governance and Nominating Committee.
III. Authority and Responsibilities
The Committee shall discharge its responsibilities, and shall assess the information provided to it by the Company's management and others, in accordance with its business judgement. Management is responsible for the Company's enterprise‐wide risk management, designing, implementing, and maintaining an effective risk management framework for the Company, and planning for, and responding to, the Company's material risks. The Committee's and the Board's role is one of oversight and review. The Committee shall receive and review the periodic and other reports made by management, and periodically meet with management, regarding the enterprise‐wide risk management matters for which the Committee has oversight responsibility.
The Committee shall approve and periodically review the enterprise‐wide risk management policies of the Company's operations. The Committee shall discuss the Company's policies with respect to risk assessment and risk management, including guidelines and policies to govern the process by which the Company's exposure to risk is handled.
Risk Management Framework
1. Oversight of Risk Management Framework. The Committee shall oversee the operation of the Company's enterprise‐wide risk management framework, which includes risk management policies and procedures establishing risk management governance, risk management procedures, and risk control infrastructure for the Company's operations, and processes and systems for implementing and monitoring compliance with such policies and procedures, including processes and systems for:
• assessing and managing risks, benchmarks for and major financial exposures from such risks, supporting methods, risk policies, and risk inventories, as they relate to the Company's credit risk, interest rate risk, price risk, liquidity risk, operational risk, compliance risk, strategic risk and reputational risk;
• identifying and reporting risks and risk management deficiencies, including regarding emerging risks, and ensuring effective and timely implementation of actions to address emerging risks and risk management deficiencies for the Company's operations;
• appraising management’s quarterly assessment of the adequacy of the allowance for loan and lease losses;
• establishing managerial and employee responsibility for risk management (e.g., related to training and risk culture);
• ensuring the independence of the Company's risk management function; and
• integrating risk management and associated controls with management goals.
2. Oversight of Risk Assessment. The Committee shall review management's assessment of the effectiveness of the Company's risk management function, including the appropriateness and effectiveness of resources dedicated to risk management activities. The Committee shall review reports and recommendations provided by management or third-party consultants retained by the Committee related to the Company's risks. The Company shall review significant aggregate risk concentrations and other escalations, and approve significant corrective actions recommended by management. The Committee shall supervise the engagement of third party consultants to which risk assessment functions have been outsourced, meet directly with such firms as deemed appropriate, and report any material findings to the full Board.
3. Information Security Risks. The Committee shall periodically review the Company’s information security risk management program, including cybersecurity risk.
The Committee shall monitor and understand changes to the risk profile of the Company, with a focus on the most significant risks faced by the Company, and shall escalate to the Board any matters of concern for discussion and potential action.
The Committee shall review and recommend that the Board approve the Company's risk appetite statement on at least an annual basis or as otherwise required by the Company's risk appetite statement. The Committee shall oversee the Company's compliance with the risk appetite statement on behalf of the Board and shall make recommendations for any changes to risk appetite for Board approval. The Committee shall review and take appropriate action in response to notifications from management in the event any inner thresholds or outer limits pursuant to the Company's risk appetite statement are exceeded. The Committee shall measure progress in responding to any directives or recommendations made by any banking regulatory agencies (including the Office of the Kansas State Bank Commissioner and the Federal Deposit Insurance Corporation) as a result of regulatory examinations or visitations.
IV. Procedures and Administration
1. Procedures. Except as provided in this Charter, the Company's Bylaws shall govern the processes and procedures of the Committee, including the appointment and removal of members of the Committee, the calling and holding of meetings and notice and quorum requirements for meetings, and actions by written consent in lieu of a meeting.
2. Meetings. The Committee shall meet as often as it deems necessary in order to perform its responsibilities. The Committee, in its discretion, may ask members of the Board, management (including the Chief Investment Officer and Chief Credit Officer) or such other persons as it deems appropriate to attend its meetings (or portions thereof) and to provide information as necessary. The Committee may also act by unanimous written consent in lieu of a meeting in accordance with the Company's Bylaws. The Committee shall keep regular minutes of its meetings as appropriate.
3. Subcommittees. The Committee may form and delegate authority to one or more subcommittees as it deems appropriate from time to time in its sole discretion; provided, that the Committee shall not delegate to a subcommittee any power or authority required by any law, regulation or Nasdaq Stock Market rule to be exercised by the Committee as a whole. Each subcommittee will consist of one or more members of the Committee.
4. Reports to the Board. The Committee shall report regularly to the Board as appropriate.
5. Charter. At least annually, the Committee shall review and reassess the adequacy of this Charter and recommend any proposed changes to the Board for approval.
6. Independent Advisors. The Committee shall have the authority, in its sole discretion and without further action by the Board, to engage such independent legal counsel and other advisors as it deems necessary or appropriate to carry out its duties. Such independent advisors may be the regular advisors to the Company. The Committee is empowered, without further action by the Board, to cause the Company to pay the compensation of such advisors as established by the Committee.
7. Investigations. The Committee shall have the authority to conduct or authorize investigations into any matters within the scope of its responsibilities as it shall deem appropriate, including the authority to request any officer, employee, or advisor of the Company to meet with the Committee or any advisors engaged by the Committee.
8. Funding. The Company will provide for appropriate funding, as determined by the Committee, for payment of: (a) compensation to any advisors retained by the Committee; and (b) ordinary administrative expenses of the Committee that are necessary or appropriate in carrying out its duties.
Amended and Restated: October 18, 2023
- = Member
- = Chair
- = Financial Expert
- = Independent Director