Risk Management Program

The company’s Chief Risk Officer is responsible for enterprise-wide risk management, information security and ensuring the company’s compliance with government regulations.

Annually, the Executive Leadership Team defines a strategic plan and establishes growth priorities that are consistent with the company’s purpose, values, core competencies and risk appetite. Our overall objective is to manage our businesses, and the associated risks, in a way that serves our clients, customers and shareholders while protecting the safety and soundness of the organization.

Every employee is accountable for speaking up and escalating concerns to management regarding compliance with regulation, policy, proscribed process or ethical standards. In addition, the Risk Committee of the Board of Directors meets regularly with key risk management personnel and the Audit Committee receives regular reports from the company’s independent auditor.

Business continuity management program

To minimize the impact of a potential outage or interruption of business operations on our clients, BOK Financial’s Business Continuity Management Program sets recovery priorities, maintains recovery plans, regularly exercises recovery capabilities and provides awareness and training. The business continuity policy, standards and procedures incorporate elements of the ISO 22301 international business continuity management standard.

The company’s Emergency Operations Center (EOC) coordinates response, recovery and resumption for any crisis. With oversight from the company’s Chief Risk Officer, the EOC is modeled after the FEMA Incident Command System and encompasses multiple departments to provide the most efficient response possible.

The company’s business impact analysis (BIA) prioritizes recovery of business functions based on acceptable downtime and restoration from data loss. Business processes are evaluated to determine interdependencies between departments, applications, vendors and services. Using an approach which considers natural, human-made and technology-based threats, processes are evaluated against five impact risk areas: reputational, financial, legal/regulatory, client experience and workforce impact.

Business and disaster recovery plans undergo regular exercises to validate the response strategies and strengthen the plan execution and documentation. The frequency and complexity of these exercises are based on the criticality of business functions and technology.

The Director of Operational Risk manages the business continuity management program and reports to the Chief Risk Officer. The Risk Committee of the Board of Directors oversees the business continuity management program. Key program roles receive annual training on the business continuity management program.

Related documents

Standards of Conduct
The Audit Committee of the Board of Directors annually reviews and approves the company’s Standards of Conduct on which employees are annually trained and attest to. Each member of the Board of Directors takes an annual Oath of Office prescribed by the Office of the Comptroller of the Currency (OCC) and is bound by the company’s Code of Ethics.

Proxy Statement
The company’s annual proxy statement identifies responsibilities of board committees.

10-K
The company’s 10-K reviews a wide array of company performance factors, including any monetary losses as a result of legal proceedings associated with fraud, insider trading, anti-trust, anti-competitive behavior, market manipulation, malpractice, or other related financial industry laws or regulations.

G-SIB Score and Capital Planning

SASB: FN-CB-550a 1 and FN-CB-550a.2
BOK Financial is not a globally or domestically systemically important bank, and is not subject to a mandatory and publicly disclosed capital stress testing regime.

The company does have a capital planning process which includes internal capital stress testing and multiple layers of governance. The Risk Committee of the Board of Directors has oversight responsibility for capital planning and capital adequacy, including stress testing. Management committee responsibility includes the Capital Committee and the Asset Liability Committee. The Chief Financial Officer and the Treasurer have responsibility for the management of capital planning and incorporating results into long-term corporate strategy. Capital planning and stress testing are subject to regulatory examination by our regulatory agencies.

Incorporation of environmental, social and governance factors in credit analysis

SASB: FN-CB-410a.1
The company actively manages credit risk by maintaining a diverse portfolio. Detailed information on credit exposure is available in the company’s 10-K.