Screening activities Mike E. Farrell James E. Bartlett and Ghislaine C.Y. Gillessen Munich, January 2014

Agenda The challenge of timely screening Needs analysis Technology is part of the solution From tools to behavior Export Controls Maturity levels Business Partner on boarding Jan 2014Full Circle Compliance2

Introduction Increased regulation and regulatory scrutiny Specific challenges include high volume and time-constraint Current screening solution meet needs? A new tool and related selection procedure? Jan 2014Full Circle Compliance3

The challenge of timely screening In the following slides some considerations are given with regard to the initial needs analysis phase Next some thoughts are given with regard to embedding the solution as part of the overall ICP Jan 2014Full Circle Compliance4 Needs analysis Selection criteria Long list Request for Information Response evaluation Short list

Needs analysis (1) Define specific requirements for the screening solution, including amongst other on the following aspects: Screening capabilities, such as on e.g. end-user, involved parties, related parties, final destination, end-use and product, including relative level of importance (H/M/L). Overview of lists to be scanned against (denied persons list, unverified list etc) including related importance rating, in line with global and local requirements. Also assess supplier’s related updating capabilities requirements. Level of accuracy (good practice >95%) and upper limit for false positive percentages (good practice<1%). Availability level (>99,9%), support structure (24x7), helpdesk capabilities, response time, performance and other service level requirements Jan 2014Full Circle Compliance5

Needs analysis (2) Real-time integration capabilities with relevant software Language capabilities (German, English and local) Architecture, platform flexibility and language support, such as unicode or c++ depending on ICT situation Normalization, intelligent adjustable matching algorithms Integrated workflow, notification and escalation model based on configurable threshold Ability to reflect organizational model Pricing and fee structure Implementation and operational burden calculated Jan 2014Full Circle Compliance6

Needs analysis (3) Single sign-on capability, security, roles and responsibilities Audit trail, documentation generation, data security and record retention Ability to deal with “good guys” list User friendliness Ease of deployment, including organizational load and tuning set-up time Functional and technical specifications, development methodology Track record and client endorsements SAS 70 certification or similar Jan 2014Full Circle Compliance7

Technology is part of the solution Needs have to be defined and aligned with overall ICP The needs analysis is the first step of the selection process Complex needs require a combination of technical and procedural solutions Technical solution to be assessed in conjunction with procedural impact Jan 2014Full Circle Compliance8 Analyse as-is process Target operating model Gap analysis Transformation plan and implement Training Roll-out and monitor RequirementsTechnology selectionDesignBuildTestSupport Procedural aspects Technological aspects

From tools to behavior Jan 2014Full Circle Compliance9 2. Risk Assessment and Gap Analysis Carry out detailed risk assessment to identify areas of highest risk and perform gap analysis 4. Design & Development of Framework Development of export controls compliance framework to address risks and gaps 6. Sustainable Compliance Framework Reporting and Monitoring Continuous improvement Embed values & behaviours 3. Detailed Review of Risk Detailed risk- based review of existing export controls framework Leadership commitment and “tone from the top” 5. Remediation and Implementation Design and build controls Implement and Test Values and Behaviours Driven Approach 1. Regulatory requirements Analysis Analyze regulatory requirements

From tools to behaviour Jan 2014Full Circle Compliance10 Confidential reporting arrangements Compliance organization PreventDetectRespond Policies & guidelines 1 Risk assessment & mitigating controls 2 Training & communications Business partner due diligence 3 5 Finance organization 7 Human Resources organization 8 Internal Audit organization Continuous improvement

ICP Jan 2014Full Circle Compliance11 The path to get ‘Best Value’ ECMS maturity levels “Best Value” NET COST Integrated internal controls with real time monitoring by management and continuous improvement. Phase 5 Optimized Standardized controls with periodic testing for effective design and operation with reporting to management. Phase 4 Monitored Phase 3 Standardized Control activities are designed, in place, adequately documented and communicated to employees. Control activities are designed and in place, but are not adequately documented. There are no formal training or communication of control activities. Unpredictable environment where control activities are not designed or in place. Phase 2 Informal Phase1 Initial / ad hoc

Business Partner on boarding Jan 2014Full Circle Compliance12 Business Partner Data ERP systemsVendor master Approvals & Contracting / Contract amendments Identify, Consolidate, and De-Duplicate Business Partners Risk Assessment Risk Analysis & Rating Business Partner Risk Classification Segmented into Low, Medium & High Risk CRM systems Perform Due Diligence Incident response and remediation Auditing Continuous Reassessment Reporting / Monitoring Control environment and tone at the top Governance, executive sponsorship, compliance enforcement Training, polices and change management Technology, tools and information management Standardize or systematize using third party databases, industry specific factors, questionnaires, etc. Screening is part of the overall business partner on boarding process

Prevent, Detect and Remediate Jan 2014Full Circle Compliance13 Not for further distribution without the permission of Full Circle Compliance Contact Details Michael E. Farrell Ghislaine C.Y. Gillessen James.E. Bartlett III