Enterprise Risk Management

Our Enterprise Risk Management (ERM) program helps us manage the risks inherent in our business by gaining a greater understanding and awareness of risks facing the business, ensuring risk-appropriate mitigation efforts are in place, and regularly monitoring and ensuring the company meets or exceeds the expectation of all stakeholders, including investors and regulators. This proactive and systematic approach to risk management is integrated into our decision-making processes and activities, which are essential for achieving strategic and operational objectives. The ERM function is closely aligned with crisis management, business continuity, and disaster recovery.

In 2022, we transitioned to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) ERM framework, which is a top benchmark for public companies. This framework includes the elements of:

1. Developing a strong governance and risk-aware culture
2. Embedding ERM concepts into strategic planning
3. Identifying ERM risks, scoring, and prioritizing
4. Reviewing and revising critical response plans
5. Identifying and sharing information across the network

Utilizing the COSO framework helps to eliminate siloed risk management and group risks under fivemain categories: Financial, Operational, Strategic, Legal & Compliance, and Cybersecurity. This focus enables West to embed ERM into daily operations and strategy setting, effectively linking growth, risk, and return.

We have enhanced our ERM and Security team to better position the company to evaluate, control, and respond to the risks and challenges presented by unforeseen natural and human-caused disasters and health crises. This includes appointing a dedicated Enterprise Risk Manager who conducted a robust review to identify our most significant risks along with establishing a physical security team focused on Enterprise Security Risk Management.

Our Business Continuity and Resilience team engaged our manufacturing sites to review and substantially update our business continuity plans to ensure the consistent delivery of high-qualityproducts during times of crisis, especially given our role as a supplier within the global healthcare supply chain.

We apply an enterprise-wide approach to Business Continuity Management (BCM) to maintain a dutyof care for our team members, protect customers and corporate assets, and minimize financial, legal, reputational, and strategic impact. In addition, West aims to ensure the continuation and rapid recovery of critical business, manufacturing, and distribution operations in the event of major internal or external incidents.

As a result of planning, training, and exercises, we provided effective response and recovery support during Hurricanes Fiona and Ian, ensuring that West’s sites in Cayey, Puerto Rico, and St. Petersburg, Florida, all were well-prepared and recovered quickly.

The BCM program aligns with ISO 22301 and other applicable standards and regulatory requirements. Executive leadership provides global, regional, and local program sponsorship and governance.

Cybersecurity

We are committed to maintaining a strong cybersecurity program to protect West’s critical infrastructure, our information assets, our customers, and other stakeholders’ information.

Our key infrastructure and cybersecurity initiatives have focused on:

• Data Loss Prevention — enforced security and compliance on all managed devices, prevented exfiltration of sensitive data, and blocked unauthorized transfer of West confidential and proprietary data.
• Automated Asset Detection and Management — deployed an automated tool to manage IT assets with traceability, improved lifecycle management, and accelerated incident response.
• Global Cybersecurity Awareness Program (Phishing) — established a robust Cybersecurity Awareness Program to improve user awareness and behavior and evaluate progress and areas for improvement.

We have adopted the National Institute of Standards and Technology (NIST) Framework, which provides a comprehensive method for developing a flexible, repeatable, performance-based, and cost-effective approach to identifying and managing cybersecurity risks. We use the NIST Framework to assess and improve our security posture, including engaging a third party consultant to analyze our information security capabilities against the NIST Framework.

Our cybersecurity defenses also utilize technologies, such as next-generation firewalls, intrusion detection and prevention measures, security information and event management, anti-malware, advanced threat protection, multifactor authentication, network segmentation, and encryption, to ensure the privacy and security of our customers’ data. We also have a dedicated Security Operations Center monitoring our applications and infrastructure on a 24/7 basis, which is integrated with our enterprise crisis management framework. In 2022, West did not suffer any known cybersecurity breaches.

Each year, we hold a global Cybersecurity Awareness Campaign across the company to reinforce key messages around cybersecurity. Team members are required to complete various trainings on cybersecurity upon hire and on an annual basis, including internally developed cybersecurity training, anti-phishing training, and general information security training, all of which are provided in multiple languages. We provide a regular cadence of communications to our team members, educating them on the latest cybersecurity threats and how to protect the company’s assets.