EXELIXIS, INC.
RISK COMMITTEE CHARTER

PURPOSE

The purpose of the Risk Committee (the Committee) of the Board of Directors (the “Board”) of Exelixis, Inc. (the “Company”) is to assist the Board in its oversight of management’s responsibility to assess, manage and mitigate risks associated with the Company’s business and operational activities.

MEMBERSHIP

The Committee shall consist of at least three (3) members of the Board, and all members of the Committee shall, in the judgment of the Board, have relevant experience in the management of business risks. No Committee member shall be a current employee of the Company, and each member shall be free from any relationship that would interfere with the exercise of his or her independent judgment, as determined by the Board, in accordance with the applicable independence requirements of the Nasdaq Stock Market and the rules and regulations of the Securities and Exchange Commission. The Board shall appoint the members of the Committee and the Chair of the Committee.

AUTHORITY

The Committee shall have the authority to obtain, at the expense of the Company and in coordination with its officers, advice and assistance from internal or external legal, financial, technology, risk management or any other advisors and consultants as it deems appropriate. Other reasonable expenditures for external resources that the Committee deems necessary or appropriate in the performance of its duties are permitted and shall be paid for by the Company.

Except to the extent inconsistent with any laws and rules applicable to the Company, any responsibility or authority of the Committee under this Charter may be delegated as appropriate by the Board or the Committee, including to the Chair of the Committee or to a subcommittee composed of one or more Committee members and/or other members of the Board and/or officers of the Company.

KEY RESPONSIBILITIES

The Committee shall:

• Review the Company’s overall risk management framework and infrastructure designed to identify, assess, manage and mitigate the Company’s material risks, including the use of insurance for such purpose.
• Review the policies, guidelines and practices implemented by the Company aimed at the management of business and operational risks.
• Oversee management’s identification, assessment and management of the Company’s business and operational risks not specifically allocated to the Board or another committee of the Board, and obtain periodic reports on such matters from the Company’s Ethics Committee, the internal governing body responsible for oversight of the Company’s risk management functions.
• Oversee management’s exercise of its responsibility to administer the Company’s various compliance programs. For purposes of this charter, the Company’s compliance programs shall include, but are not limited to, those relating to: data privacy (including cybersecurity); drug safety; healthcare compliance; and quality management (including GxP).
• Oversee management’s exercise of its responsibility to manage government and other investigations and material litigation matters appropriately.
• Periodically report on the Committee’s meetings, actions and recommendations to the Board or as otherwise requested by the Board.
• Evaluate and discuss trends in the areas of risk management that are relevant to the Company and, in consultation with the Company’s management and Ethics Committee, advise the Board on best practices with respect to risk management strategy and implementation.
• Periodically review, discuss and assess the Committee’s own performance, including a review of its compliance with this Charter, and report its findings to the Board.
• Review and assess the adequacy of this Charter on an annual basis and recommend any proposed changes to the Board for its consideration.

In addition, as the Committee or the Board deems appropriate, the Committee may identify additional areas of focus and/or perform other activities consistent with this Charter and the Company’s Certificate of Incorporation and Bylaws, each as currently in effect, as well as applicable governing laws or regulations.

MEETINGS

The Committee will hold at least two (2) regular meetings per year and additional regular or special meetings as the Committee deems appropriate. Officers and other employees of the Company may attend these meetings at the invitation of the Committee.

MINUTES AND REPORTS

Minutes of each meeting of the Committee shall be kept and distributed to each member of the Committee and the Secretary of the Company. The Chair of the Committee shall report to the Board from time to time, or whenever so requested by the Board.