Middlefield Banc : Risk Compliance Committee Charter

Risk/Compliance Committee Charter

May 10, 2024

Purpose

The purpose of the Risk/Compliance Committee (the "Committee") of The Middlefield Banking Company (referred to herein as the "Company") is to assist the Board of Directors in fulfilling its oversight responsibilities with regard to the risk appetite of the Company, and enterprise wide risk management and compliance framework and the governance structure that supports it. Risk appetite is defined as the level and type of risk a firm is able and willing to assume in its exposures and business activities, given its business objectives and obligations to stakeholders.

Membership and Qualification

The Committee shall be composed of at least three members of the Board of Directors, each of whom must be and remain independent. A Committee member shall not be considered independent if he or she fails to satisfy the standards of independence set forth by the rules of the Securities and Exchange Commission and NASDAQ. No member of the Committee may accept any consulting, advising, or other compensatory fee from the Company except for service on the Board of Directors or a committee or committees of the board.

The members of the Committee shall be appointed annually by the board. The board shall designate one member of the Committee to be Committee Chairperson.

The Chairperson of the Committee shall have risk management expertise that is commensurate with the Company's risk profile, complexity, activities, size, and other appropriate risk-related factors. The term "risk management expertise" means: (i) an understanding of risk management principles and practices with respect to bank holding companies or depository institutions, and the ability to assess the general application of such principles and practices; and, (ii) experience developing and applying risk management practices and procedures, measuring and identifying risks, and monitoring and testing risk controls with respect to banking organizations. If time permits, the Chairperson of the Risk/Compliance Committee shall be a member of the Audit Committee.

Given the importance of risk management, all Committee members should have an understanding of risk management principles and practices relevant to the Company.

1

Meetings and Other Actions

The Committee will meet as often as it determines is necessary, but not less than quarterly. The Committee may also act by unanimous written consent in lieu of a meeting.

Meetings may be called by the Committee Chairperson or by a majority of Committee members. All meetings and other actions of the Committee shall be according to the Company's regulations, including provisions governing notice of meetings and waivers of notice, the number of Committee members required to take actions at meetings and by written consent, and other related matters. Unless contrary to the regulations, a majority of the members of the Committee shall constitute a quorum, and any act of a majority of the members present at any meeting at which a quorum is present shall be the act of the Committee.

Reports of meetings and actions taken at meetings or by consent of the Committee since the most recent board meeting shall be made by the Committee Chairperson or his or her delegate to the board at the time of or before the board's next regularly scheduled meeting after the Committee meeting or action. The report shall be accompanied by any recommendations from the Committee to the board. In addition, the Committee Chairman or his or her delegate shall be available to answer any questions the other directors may have regarding the matters consider and actions taken by the Committee. On at least an annual basis the Committee Chairperson will report to the Board on Risk Management efforts.

The Committee may, in its discretion, delegate all or a portion of its duties and responsibilities to a subcommittee of the Committee. Each subcommittee shall consist of no fewer than two members of the Committee.

The Committee may meet in joint session with the Audit Committee of the Board from time to time to discuss areas of common interest and significant matters including, but not limited to, major investment portfolio issues, frauds, major regulatory enforcement actions, major litigation or whistleblower matters, and systemic technology issues.

The Committee may request any officer or employee of the Company, or any special counsel or advisor, to attend a meeting of the Committee or to meet with any members of, or consultant to, the Committee. The agenda for each meeting of the Committee will provide time during which the Committee can meet separately in executive session with management, the Chief Executive Officer, the Chief Risk Officer, the Compliance Officer, the independent auditors and as a Committee to discuss any matters the Committee or these groups believe should be discussed.

Authorities, Duties and Responsibilities

To fulfill its responsibilities and duties, the Committee shall satisfy itself that sound policies, procedures, and practices are implemented for the management of key risks und the Company's Enterprise Risk Management (ERM) framework, which includes credit, interest rate (market), liquidity, compliance/legal, information technology, operational, strategic, and reputation. More specifically, the Committee shall:

2

Establish Policies

1. Receive presentations, risk assessments, and other information to understand the significant risks to which the Company is exposed.
2. Review with management the Company's procedures and techniques, and approve, where appropriate, policies developed and implemented to measure the Company's risk exposures and for identifying, aggregating, evaluating and managing the significant risks to which the Company is exposed, and review such procedures, policies and techniques at least once a year to satisfy itself that they remain appropriate and prudent.
3. Monitor, on a regular basis, the Company's risk management performance and obtain, on a regular basis, reasonable assurance that the Company's risk management policies for significant risks are adhered to.
4. Periodically examine the risk culture of the Company by inquiring with management as well as through the review and discussion of such indicators as compliance with corporate policies and training records, regulatory feedback and responsiveness to audit, exam and other supervisory findings.

Monitor Policies

1. Review the amount, nature, characteristics, concentration and quality of the Company's credit portfolio, as well as all significant exposures to credit risk through reports on significant credit exposures presented to the Committee and review of exceptions to risk policies and procedures, if any, and trends in portfolio quality (credit and position risk), market risk, liquidity risk, economic trends and other risk information.
2. Review and approve significant risk management principles and policies (as delegated by the board) and procedures recommended by the Company's management, and review periodically, but at least once a year, the management programs related thereto to oversee compliance with such principles and policies. Specifically, the Committee shall have the primary responsibility for reviewing risk policies related to the following:
3. 1. credit risk
   2. interest rate (market) risk
   3. liquidity risk
   4. compliance/legal risk
   5. information technology risk
   6. operational risk
   7. strategic risk
   8. reputation risk
4. Review disclosure regarding risk contained in the Company's Annual Report on Form 10-K and Quarterly Reports on Form 10-Q.
5. Review and approve any other matters required by the Company's regulators from time to time.

3

Risk Management Department Oversight

1. Review the Risk Department of the Company, including the mandates of the Risk Management Department and the Chief Risk Officer at least annually. In addition, the Committee shall:
2. 1. review regular reports prepared by the Chief Risk Officer together with management's response and follow-up on outstanding issues, as necessary;
   2. at least annually assess the effectiveness of the Risk Management Department and the Chief Risk Officer;
   3. be consulted in the appointment and dismissal of the Chief Risk Officer of the Company; and
   4. provide a forum for the Chief Risk Officer to raise any risk issues or issues with respect to the relationship and interaction between the Risk Department and senior management of the Company, internal and/or external auditors, and regulators.

General

The Committee shall have the following additional general duties and responsibilities:

1. Review and assess the adequacy of this Charter at least annually and submit this Charter to the Board for approval upon amendment.
2. From time to time and, as needed, Committee members will participate in education sessions to enhance their familiarity with risk-related issues.
3. Perform such other functions and tasks as may be mandated by regulatory requirements applicable to risk management committees or as delegated by the board.
4. Periodically conduct an evaluation of the Committee to assess its contribution and effectiveness in fulfilling its mandate.
5. Review significant pronouncements and changes to key regulatory requirements relating to the risk management area to the extent they apply to the Company.
6. Report to the board on material matters arising at Risk Committee meetings following each meeting of the Committee. Report, as required, to the Audit Committee on issues of relevance to that committee.
7. Maintain minutes or other records of meetings and activities of the Committee.

While the Committee has the responsibilities and duties set forth in this Charter in its oversight capacity, the duty of the operational management of the Company's aggregate risk management program is the responsibility of the management level Risk Management Oversight Committee (RMOC) and the Risk Management Department.

4