2018 Guide to Effective Proxies

6 TH EDITION | GUIDE TO EFFECTIVE PROXIES 218 AT&T, INC. CorporateGovernance Public Policy Engagement We participate in public policy dialogues around the world related to our industry and business priorities, our more than 252,000 employees, our stockholders, and the communities we serve. In the U.S., the Company and our affiliated political action committees comply with applicable laws and other requirements regarding contributions to: political organizations, candidates for federal, state and local public office, ballot measure campaigns, political action committees, and trade associations. We engage with organizations and individuals to make our views clear and uphold our commitment to help support the communities in which we operate. We base our U.S. political contributions on many considerations, support- ing candidates who take reasonable positions on poli- cies that promote economic growth as well as affect our long-term business objectives. The Public Policy and Corporate Reputation Commit- tee of our Board of Directors reviews our advocacy efforts, including political contributions. Additional information about our public policy engagement efforts, including our political contributions policy and a report of U.S. political contributions from our Com- pany and from AT&T’s Employee Political Action Committees, can be viewed on our website at www.att.com. Board’s Role in Risk Oversight The Board is responsible for overseeing our policies and procedures for assessing and managing risk. Management is responsible for assessing and manag- ing our exposures to risk on a day-to-day basis, includ- ing the creation of appropriate risk management policies and procedures. Management also is respon- sible for informing the Board of our most significant risks and our plans for managing those risks. Annually, the Board reviews the Company’s strategic business plans, which includes evaluating the competitive, technological, economic and other risks associated with these plans. In addition, under its charter, the Audit Committee reviews and discusses with management the Compa- ny’s major financial risk exposures and the steps management has taken to monitor and control such exposures, including the Company’s risk assessment and risk management policies, as well as overseeing our compliance program, compliance with legal and regulatory requirements and associated risks. This includes, among other matters, evaluating risk in the context of financial policies, counterparty and credit risk, and the appropriate mitigation of risk, including through the use of insurance where appropriate. Members of the Company’s finance, internal audit, and compliance organizations are responsible for manag- ing risk in their areas and reporting regularly to the Audit Committee. The Company’s senior internal auditing executive and Chief Compliance Officer each meet annually in execu- tive session with the Audit Committee. The senior internal auditing executive and Chief Compliance Offi- cer review with the Audit Committee each year’s annual internal audit and compliance risk assessment, which is focused on significant financial, operating, regulatory and legal matters. The Audit Committee also receives regular reports on completed internal audits of these significant risk areas. In addition, the Audit Committee, as well as the Board of Directors, receive reports from responsible officers on cybersecurity. The AT&T Chief Security Office estab- lishes policy and requirements for the security of AT&T’s computing and networking environments. Ethics and Compliance Program The Board has adopted a written Code of Ethics appli- cable to Directors, officers, and employees that out- lines our corporate values and standards of integrity and behavior and is designed to foster a culture of integrity, drive compliance with legal and regulatory requirements and protect and promote the reputation of our Company. The full text of the Code of Ethics is posted on our website at www.att.com. Our Chief Compliance Officer has responsibility to implement and maintain an effective ethics and com- pliance program. He also has responsibility to provide updates on our ethics and compliance program to the Audit Committee. | 40 | www.att.com ATLAS AIR WORLDWIDE HOLDINGS, INC. CORPORATEGOVERNANCE,BOARDANDCOMMITTEEMATTERS Board Oversight of Risk-Mitigation Process TheBoardofDirectorsisresponsibleforoversightoftheCompany’srisk-assessmentandmanagementprocess. The Board delegates to the Compensation Committee responsibility for oversight of management’s compensation risk assessment, and ensuring that the compensation practices of the Company continue to not encourage excessiverisk-takingbymanagement. The Board delegates other risk-management oversight matters to our Audit Committee. The Audit Committee’s responsibilitiesinclude: • Direct oversight of our internal audit function, including the organizational structure and staff qualification, as wellasthescopeandmethodologyoftheinternalauditprocess;and • A review, at least annually, of our enterprise risk-management plan to ensure that appropriate measures and processesareinplace,includingdiscussionofthemajorrisks,thekeystrategicplanassumptionsconsidered duringtheassessmentandstepsimplementedtomonitorandmitigatesuchexposuresonanongoingbasis. TheAuditandCompensationCommitteesreporttotheBoard,asappropriate,whenamatterrisestothelevelofa material, enterprise-level risk. In addition to the reports from the Audit and Compensation Committees, the Board periodicallydiscussesriskoversight,includedaspartofitsannualdetailedcorporatestrategyreview. The Company’s management is responsible for day-to-day risk management. Our Internal Audit, Safety, Security, Corporate Controller, Information Technology, Human Resources, Legal, Business Resiliency, and Treasury Departments serve as the primary monitoring and testing functions for Company-wide policies and procedures, and manage the day-to-day oversight of the risk management strategy for the ongoing business of the Company. This oversight includes identifying, evaluating, and addressing potential risks that may exist at the enterprise, strategic,financial,operational,technological,compliance,andreportinglevels. We believe that the division of risk-management responsibilities as described above is an effective approach for addressingrisksfacingtheCompany. Director Independence The Nominating and Governance Committee has determined that all Directors, including our new Nominees but excluding Mr. Flynn, are independent under Company standards and SEC and NASDAQ rules. The Nominating and Governance Committee classifies the following Directors nominated for election at the Annual Meeting as independent:Ms.Hallett,LuteandStampandMessrs.Agnew,Bernlohr,Bolden,Griffin,McNabbandWulff. Our Nominating and Governance Committee Charter includes categorical standards to assist the Nominating and Governance Committee in making its determination of Director independence within the meaning of the rules of the SEC and the Marketplace Rules of NASDAQ. The Nominating and GovernanceCommittee will not consider a Directortobeindependentif,amongotherthings,heorshe: • Wasemployedbyusatanytimeinthelastthreeyears; • Has an immediate family member who is, or in the past three years was, employed by us as an executive officer; • Has acceptedor has an immediatefamilymemberwhohasacceptedanycompensationfromusinexcessof $120,000 during a period of 12 consecutive months within the three years preceding the determination of independence (other than compensation for Board service, compensation to a family member who is a nonexecutiveemployee,orbenefitsunderatax-qualifiedretirementplanornondiscretionarycompensation); • Is, was or has a family member who is or was a partner, controlling shareholder, or executive officer of any organization to which we made or from which we received payments for property or services in the current year or any of the past three fiscal years in an amount that exceeds the greater of $200,000 or 5% of the recipient’sconsolidatedgrossrevenuesfortheyear; 16 | AtlasAirWorldwideHoldings,Inc. 2018Notice&ProxyStatement BANK OF AMERICA CORPORATION CorporateGovernance Board Oversight of Risk Riskisinherentinallofourbusinessactivities.OneofthetenetsofResponsibleGrowthis“wemustgrowwithinourrisk framework.”Weexecuteonthatstrategy throughourcommitmenttoresponsibleandrigorousriskmanagementandthrougha comprehensiveapproachwithadefinedRiskFrameworkandawellarticulatedRiskAppetiteStatement.TheRiskFramework andRiskAppetiteStatementareregularlyreviewedwithaneyetowardsenhancementsandimprovements.TheRiskFramework setsforthclearroles,responsibilities,andaccountabilityforthemanagementofriskanddescribeshowourBoardoversees theestablishmentofourriskappetiteandofbothquantitativelimitsandqualitativestatements andobjectivesforour activities.Thisframeworkofobjective,independentBoardoversightandmanagement’srobustriskmanagementbetterenables ustoserveourcustomers,deliverlong-termvalueforourstockholders,andachieveourstrategicobjectives. Our Risk Governance Documents Our RiskFramework servesasthefoundationforconsistentandeffectiveriskmanagement.Itoutlinestheseventypesofrisk thatourcompanyfaces:strategicrisk;creditrisk;marketrisk;liquidityrisk;operationalrisk(includingmodel,conduct,and cyberrisk);compliancerisk;andreputationalrisk.Itdescribescomponentsofourriskmanagementapproach,includingour cultureofmanagingriskwell,riskappetite,andriskmanagementprocesses,withafocusontheroleofallemployeesin managingrisk.Italsooutlinesourriskmanagementgovernancestructure,includingtherolesofourBoard,management,lines ofbusiness,independentriskmanagement,andcorporateauditwithinthegovernancestructure. Our RiskAppetiteStatement definestheaggregatelevelsandtypesofriskourBoardandmanagementbelieveappropriateto achieveourcompany’sstrategicobjectivesandbusinessplans. Our Risk Governance Structure Our Board providesobjective, independentoversightof riskand: • receives regularupdates fromourAuditCommitteeandEnterpriseRiskCommittee,providingourBoardwith integrated, thorough insightabouthowour companymanages risk • receives regular risk reporting frommanagement, includinga report thataddressesandprovidesupdatesonkeyand emerging risks • hasa stand-alone sessionateach in-personBoardmeeting todiscuss the risks thatare consideredprevailingorurgent, including those identified inmanagement’s reportonkey risks • oversees seniormanagement’sdevelopmentofourRiskFramework,ourRiskAppetiteStatement,andour capital, strategic, and financialoperatingplans • overseesdirectlyand through committeesour financialperformance,executionagainst capital, strategic,and financial operatingplans, compliancewith riskappetiteparameters,and theadequacyof internal controls,eachofwhichour managementmonitors • approvesourRiskFrameworkandRiskAppetiteStatementannually Our AuditCommittee providesadditional risk managementoversight for compliance risk,and regularly receivesupdates from management on compliance risk-relatedmatters. Our EnterpriseRiskCommittee hasprimary committee responsibility foroverseeing theRiskFrameworkandmaterial risks facingour company. TheCommittee regularly receives updates frommanagementon risk-relatedmattersand risk reporting frommanagement, includinga report thataddressesand providesupdatesonkeyandemerging risks. TheCommitteealso oversees seniormanagement’sdevelopmentofourRisk Framework,ourRiskAppetiteStatement,andour capital, strategic,and financialoperatingplans. Inaddition,ourEnterprise RiskCommitteeapprovesourRiskFrameworkandRiskAppetite Statementonanannualbasisand recommends them to theBoard forapproval. Our Compensation andBenefits Committee oversees thedevelopmentofour compensationpolicies andpractices,which aredesigned tobalance riskand reward in away thatdoesnot encourageunnecessary orexcessive risk-taking byouremployees. BankofAmericaCorporation2018ProxyStatement 27 Total of 02 pages in section BB&T CORPORATION CorporateGovernanceMatters complaintsthatincludesthetrackingofthereceiptoftheirreferral,investigationandresolution.Generally,ifsuchacomplaint israisedbyanattorneyinourlegaldepartment,thenthecomplaintwillbereferredtoourChiefExecutiveOfficer.TheGeneral Counsel(ortheChiefExecutiveOfficer,asthecasemaybe)periodicallypreparesasummaryreportofsuchcomplaintsfor theAuditCommittee,whichoverseestheconsiderationofallreportedcomplaintscoveredbythispolicy.Thetelephone numberforreportingcomplaintsasdescribedinthissectionis800-432-1911. Risk Oversight Ourvision,missionandvaluesarethefoundationfortheriskmanagementframeworkutilizedatBB&Tandtherefore serveasthebasisonwhichtheriskappetiteandriskstrategyarebuilt.OurRiskManagementOrganization(RMO)provides independentoversightandguidanceforrisk-takingacrosstheenterprise.Inkeepingwiththebeliefthatconsistentvaluesdrive long-termbehaviors,ourRMOhasestablishedthefollowingriskvalueswhichguideprinciplesofassociates’day-to-day activities: • Managingriskistheresponsibilityofeveryassociate. • Proactivelyidentifyingriskandmanagingtheinherentrisksoftheirbusinessistheresponsibilityofourbusinessunits. • Managingriskwithabalancedapproachwhichincludesquality,profitability,andgrowth. • Measuringwhatismanagedandmanagingwhatismeasured. • Utilizingaccurateandconsistentriskmanagementpractices. • Thoroughlyanalyzingriskquantitativelyandqualitatively. • Realizinglowercostofcapitalfromhighqualityriskmanagement. • Ensuringthereisappropriatereturnfortherisktaken. Asillustratedbelow,weexecuteonourriskvaluesthroughariskmanagementframeworkbasedonthefollowing“three linesofdefense:” 1 st Line of Defense Business Units 2 nd Line of Defense Risk Functions 3 rd Line of Defense Audit Services Board of Directors Chief Risk Officer Risk Committees Executive Management • FirstLineofDefense:Riskmanagementbeginswiththebusinessunitsandcorporatesupportgroups,thepointat whichriskisoriginatedandwhererisksmustbemanaged.Businessunitmanagersinthefirstlineidentify,assess, control,andreporttheirrespectivegroup’sriskprofile. • SecondLineofDefense:TheRMOprovidesindependentoversightandaggregates,integrates,andcorrelatesrisk informationintoaholisticpictureoftheCorporation’sriskprofileandconcentrations. • ThirdLineofDefense:AuditServices(BB&T’sinternalauditfunction)evaluatesthedesignandeffectivenessoftherisk managementframeworkanditsresults. WeplacesignificantemphasisonriskmanagementandmaintainaseparateBoard-levelRiskCommitteewhichoversees riskreportingtotheBoardofDirectorsandfunctionsasasignificantpartofourriskmanagementframework.Amongits responsibilities,theRiskCommitteemonitorsourriskprofile,approvesriskappetitestatements,andprovidesinputto managementregardingourriskappetiteandriskprofile. TheRMOisledbytheChiefRiskOfficer(CRO)andisresponsibleforfacilitatingeffectiveriskmanagementoversight, measurement,monitoring,reporting,andconsistency.TheCROhasdirectaccesstoourBoardofDirectorsandExecutive Managementtocommunicateanyriskissues(currentoremerging)aswellastheperformanceoftheriskmanagement 24 BB&TCorporation | 2018ProxyStatement Total of 02 pages in section