ITEM 10. DIRECTORS, EXECUTIVE OFFICERS AND CORPORATE GOVERNANCE
A list of our executive officers appears in Part I, Item 1 to this Annual Report on Form 10-K.
The information required by this item will be included in our 2024 Proxy Statement, which will be filed with the SEC within 120 days after the end of our fiscal year ended February 29, 2024, and is incorporated herein by reference.
Audit and Risk Management Committee
The Audit and Risk Management Committee’s purpose is to provide assistance to the Board in fulfilling its legal and fiduciary obligations with respect to matters involving the accounting, auditing, financial reporting, internal control, and legal compliance and risk management functions of the Company and its subsidiaries. It is the objective of the Audit and Risk Management Committee to maintain free and open means of communications among the Board, the independent auditors and the financial and senior management of the Company. The full text of the Audit and Risk Management Committee’s Charter can be viewed on the Company’s website at https://www.blackberry.com/ca/en/company/investors/corporate-governance-global.
Applicable securities laws require that, subject to certain exceptions, all members of the Audit and Risk Management Committee be “independent” under Sections 1.4 and 1.5 of National Instrument 52-110 of the Canadian Securities Administrators - Audit Committees and the rules and regulations of the NYSE, and “financially literate”, meaning that the committee member has the ability to read and understand a set of financial statements that present a breadth and level of complexity of accounting issues that are generally comparable to those issues reasonably expected to be raised by the Company’s financial statements. Ms. Disbrow (Chair), Ms., Dr. Smaldone Alsup and Mr. Wouters are the members of the Audit and Risk Management Committee, and each is an independent director of the Company and financially literate, based on his or her education and experience as described below. The Audit and Risk Management Committee has also developed, in conjunction with the Company’s Chief Financial Officer and other accounting personnel, an orientation and continuing education program that will provide the new members of the Audit and Risk Management Committee with additional information and understanding about the accounting and financial presentation issues underlying the Company’s financial statements.
The members of the Audit and Risk Management Committee bring significant skill and experience to their responsibilities including professional experience in accounting, business, management and governance, and finance. The specific education and experience of each member that is relevant to the performance of his or her responsibilities as such member of the Audit and Risk Management Committee are set out below:
Lisa Disbrow (Chair) – Ms. Disbrow has a BA from the University of Virginia, an MA from The George Washington University in International Relations, and an MS from The National War College in National Strategy. Ms. Disbrow serves on the President’s Export Council and is a Commissioner on the Congressional Planning, Programming, Budgeting & Execution Reform Commission. Ms. Disbrow is also the Chair of the NobleReach Foundation, as well as a director of CACI International Inc, Mercury Systems and SparkCognition, Inc. In addition, she is a Senior Fellow at the Johns Hopkins University Applied Physics Lab and the Vice Chair of the National Defense Industrial Association. Previously, she served over 30 years in senior civilian and military positions in the U.S. government, and was the Senate-confirmed Under Secretary of the United States Air Force. She also served as Acting Secretary of the U.S. Air Force and was the Senate-confirmed chief financial officer of the Air Force, as the Assistant Secretary for Financial Management and Comptroller.
Dr. Laurie Smaldone Alsup – Dr. Smaldone Alsup has an MD from Yale University, where she completed her residency in Internal Medicine and fellowship in Medical Oncology. She is Chief Scientific Officer and Chief Medical Officer of NDA Group AB (which merged in 2016 with PharmApprove, where Dr. Smaldone Alsup was President and Chief Scientific Officer), a leading drug development consulting company. She was previously Chief Executive Officer of Phytomedics, an early-stage biopharmaceutical company focused on arthritis and inflammation, prior to which she held clinical and regulatory leadership roles at Bristol Myers Squibb, including Senior Vice President of Global Regulatory Science, where she also developed and led Business Risk Management for the company. Dr. Smaldone Alsup is a director of Arvinas, Inc., Kinnate Biopharma Inc. and Theravance Biopharma, Inc.
The Hon. Wayne Wouters – Mr. Wouters has a BComm (Honours) from the University of Saskatchewan and an MA in economics from Queen’s University. From 2009 to 2014, Mr. Wouters was the Clerk of the Privy Council of Canada and held the roles of Deputy Minister to the Prime Minister, Secretary to the Cabinet and Head of the Public Service. Prior to his tenure as Clerk, Mr. Wouters was Secretary of the Treasury Board of Canada and served in deputy ministerial and other senior positions in the Canadian public service. He is currently Strategic and Policy Advisor to McCarthy Tétrault LLP and a director of Champion Iron Limited, Canadian Utilities Limited and Foran Mining Corporation. He was inducted by the Prime Minister as a member of the Privy Council in 2014 and was he was invested into the Order of Canada as an officer in 2017. Mr. Wouters
has extensive experience with economic policy and international trade matters, which included oversight of multi-billion dollar budgets on behalf of the Government of Canada.
The Board has also determined that Ms. Disbrow is an audit committee financial expert within the meaning of General Instruction B(8)(a) of Form 10-K under the U.S. Securities Exchange Act of 1934, as amended. The SEC has indicated that the designation of a person as an audit committee financial expert does not make such person an “expert” for any purpose, impose any duties, obligations or liability on such person that are greater than those imposed on members of the Audit Committee and the Board who do not carry this designation or affect the duties, obligations or liability of any other member of the audit committee or the Board.
Enterprise Risk Management
The Company recognizes that risks are associated with delivering on its strategy and achieving its corporate objectives. Managing these risks is an essential part of the Company’s business and the Company aims to promote a culture of risk management and compliance at all levels in the organization. The Company has defined and implemented an approach to manage its exposure to risk, consisting of: (i) a risk management framework to regularly identify, assess, treat, monitor and report on current and potential risks, and (ii) a governance structure that clearly defines the responsibilities of the Board, the senior leadership team, employees and other stakeholders to support the risk management framework. This approach to enterprise risk management is integral to the Company’s business activities and is designed to:
•promote effective corporate governance and decision-making by enabling the consistent identification and evaluation of risk on a consolidated basis;
•ensure that risks are managed proactively and appropriately in the context of the Company’s strategy and objectives;
•support the development of internal controls;
•facilitate the reliability and transparency of financial and operational reporting;
•assist in compliance with laws, regulations, policies, and contracts; and
•reduce harm to financial performance and safeguard the Company’s assets.
Risk Management Framework Policy and Risk Appetite
The Company’s risk management framework policy defines responsibilities for the identification, assessment, management and reporting of risks, and sets out expectations for ownership, resource assignment and compliance. The scope of the framework embraces internal functions as well as those activities for which the Company engages support from third parties.
To support the risk management framework and risk oversight activities, the Company maintains a risk appetite statement that defines, by category of risk, the Company’s tolerance for risk-taking having regard to potential rewards and overall business strategies and objectives. The Company’s four risk categories are: (i) strategy and innovation, (ii) operations, (iii) legal, compliance and reputation, and (iv) financial management and reporting. The Company’s risk profile is assessed against the risk appetite statement, which is reviewed and updated as the Company’s business strategy and operating environment evolve.
Risk Governance and Oversight
The Company utilizes a “three lines of defense” governance structure to define how the responsibility for risk management activities is assigned:
•The first line of defense for managing risks resides with the management of each business group. Risk exposures are identified and mitigated at a granular level through various ongoing management activities including business planning, operations management, reporting, and process improvement projects.
•Oversight of business unit management is provided by the second line of defense, the Security Risk and Compliance Committee (“SRCC”), which meets at least quarterly and is supported by various compliance, security and control functions. The SRCC is composed of manager representatives from each major business group and provides strategic direction by defining key policies, identifying emerging risk trends, and sponsoring training.
•The internal audit function comprises the third line of defense, providing independent assurance of the effectiveness of the Company’s risk management activities and internal controls related to (i) financial reporting and integrity and (ii) other areas of risk as assigned by the Audit and Risk Management Committee from time to time, including cybersecurity risk. The internal audit function may also review the governance structures and mandates of the first two lines of defense.
Additional governance and oversight is provided by the Risk Management and Compliance Council (“RMCC”), a council of internal senior leaders which oversee the risk management activities undertaken by business group management and the SRCC. The RMCC reviews the Company’s risk dashboard and monitors remediation activities to address gaps. The RMCC also
approves the risk appetite statement and promotes a culture of risk management and compliance across the Company. The RMCC meets at least quarterly with the Chief Risk Officer serving as the Chair. Phil Kurtz, the Company’s Chief Legal Officer and Corporate Secretary, serves as the Chief Risk Officer and reports to the Audit and Risk Management Committee, at least quarterly, on the activities of the RMCC.
The Board is ultimately responsible for overseeing the Company’s risk identification, assessment, management, monitoring and reporting activities. The Audit and Risk Management Committee assists the Board with the oversight of enterprise risk management at the Company, including risk assessment, risk compliance, the internal audit function and the controls, processes and policies used to manage the Company’s risk. The Compensation, Nomination and Governance Committee of the Board also assists the Board with the oversight of risk management and controls with respect to the Company’s compensation policies and practices, including the administration of the Company’s equity-based compensation plans.
The Company also includes risks related to climate change and other environmental, social and governance considerations as part of its enterprise risk management process.
Ethical Business Conduct and Code of Business Standards and Principles
The Company maintains and follows a written code of business standards and principles (the “Code”) that applies to, and is acknowledged annually by, all of the directors, officers and employees of the Company. The Code is a statement of principles designed to promote a culture of integrity and to help ensure that the Company operates its business in an ethical and legally-compliant manner. The Code incorporates by reference a number of policies and guidelines, including the Company’s Prevention of Improper Payments Policy and Insider Trading Policy, that provide guidance to employees concerning business choices, decisions and behaviours. The Code expressly provides that acknowledgment of the Code is a condition of employment, as is completion of all assigned training related to the Code and related policies and guidelines.
The Board, through the Audit and Risk Management Committee, receives reports on compliance with the Code, including regarding the Company’s annual program to have employees acknowledge that they have read, understand and will comply with the Code. The Company maintains a whistleblower program and makes whistleblower reporting available to employees and external parties via a web and telephone hotline-based system supplied and operated by a third party that specializes in such reporting systems. The system allows individuals to make whistleblower reports, including anonymously, to the Company or directly to the Chair of the Audit and Risk Management Committee via the BlackBerry EthicsLink system and enables the Company or the Chair of the Audit and Risk Management Committee, as appropriate, to follow up directly with the reporter while maintaining his or her anonymity. Employees are advised of the whistleblower program as part of the Company’s annual Code acknowledgement program. Management reports on the status of whistleblower reports to the Audit and Risk Management Committee at its quarterly meetings.
In addition, the Board is responsible for overseeing, directly and through its committees, an appropriate compliance program for the Company. The RMCC and SRCC oversee and assist management in maintaining the Company’s compliance program and policies. Phil Kurtz, the Company’s Chief Legal Officer and Corporate Secretary, reports to the Audit and Risk Management Committee at least quarterly on compliance matters in his capacity as Chair of the RMCC.
The Code is available on the Company’s website at https://www.blackberry.com/us/en/company/corporate-responsibility, or upon request to the Corporate Secretary of the Company at its executive office, 2200 University Avenue East, Waterloo, Ontario, N2K 0A7. If the Company makes any substantive amendments to the Code or grants any waiver, including any implicit waiver, from a provision of the Code to the Chief Executive Officer or Chief Financial Officer, the Company will disclose the nature of the amendment or waiver on that website or in a report on Form 8-K. The Company did not grant any such waiver in fiscal 2024.
