Item - 2025.TTA1.4

The Audit & Risk Management Committee:

1. Approved changes to the TTC’s Enterprise Risk Management Framework.

2. Received the confidential information and authorized that the information remain confidential in its entirety as it contains information about the security of the property of the TTC.

The Audit, Risk and Compliance Department (ARC) has been tasked with facilitating the maturity of the Enterprise Risk Management (ERM) Program at the TTC and provides this report to the Audit & Risk Management Committee (ARMC) to share information on the status of the ERM Program and to facilitate risk owners to report on their Key Enterprise Risks. In summary, this report provides an overview of the following items:

- ERM Framework Review: The ERM Framework was approved by the ARMC on March 19, 2024, and sets out roles and responsibilities, including the responsibility of the ARMC to annually review and approve any further changes to the ERM Framework. In response to consultant recommendations to align the ERM Program with industry best practice, ARC has added a Vision Statement to the ERM Framework to articulate the vision and guiding principles of the ERM Program. No further changes are being proposed except for this addition.

- 2025 ERM Roadmap: This report provides the details of ARC’s annual roadmap so that deliverables are highlighted early in the year. Systematically evaluating progress against annual goals ensures adequate progress and allows for refinement of actions, if necessary, to adapt to any changing priorities or emerging threats in the business environment.

- ERM Multi-Year Maturity Roadmap: A comprehensive roadmap outlining all planned activities necessary to develop and sustain a mature ERM Program is provided within this report. The Roadmap is based on consultant recommendations for implementation and is aligned with best practices. Based on these recommendations, the ERM Multi-Year Maturity Roadmap identifies short-, medium- and long-term actions across a five-year period that are required to bring the TTC’s ERM Program to a desired level of maturity. It provides a holistic view of the program’s planned ERM evolution.

- Risk on a Page Summary Reports: ARC has facilitated the completion of Risk on a Page Summary Reports for all 10 Key Enterprise Risks, which will allow for tracking and monitoring of progress on identified action plans to achieve desired control capability targets. In 2025, ARC will update all Risk on a Page Summary Reports to address feedback provided by Executive risk owners, including the addition of information regarding current control activities.

- Risk on a Page Summary Report Presentation by Risk Owners: ARC designed the Risk on a Page Summary Report template to assist management in providing a high-level overview of their risks, risk response strategies, and current state.