Client-Specific, Operational Risk Management, Solution- Building Workshops The following pages show a list of workshops that may be provided individually or as a twenty-five day curriculum that may be spread over one-year period The workshop delivery is client-specific. A client briefing will be held approximately one week prior to starting the workshop so that specific areas of interest and concern to the client enterprise may be addressed during the workshop The location is on the client-site or a client-selected external location. The course components may be used as a ‘shopping list’. A single workshop, a number, or the whole course may be selected The courses are charged at the facilitator’s daily fee rate. Participant numbers are at the discretion of the client but may range from one-person mentoring sessions, to twenty-person syndicated workshops. (Larger numbers will utilise two facilitators) The Board–level structured discussion, in its two-hour format (Please see over) will be delivered free of charge should a client elect to take the entire curriculum NT Hoppé Governance, Risk & Resilience Knowledge Transfer

1.21st Century Operational Risk Management (options) 2hrs/ Half-Day/1 Day Director and senior risk management-level structured discussion - Establishing the ORM scope, component parts, relationships, interfaces and framework - Developing an operational risk management (ORM) strategy and transformation programme 2. Organisation, Methods, Terms of Reference & Reporting 3 Days - Three lines of defence SWOT -ORM21, A methodology for applying and transforming ORM across an enterprise - ORM Assurance across the Extended Enterprise - How to; Assess, Measure, Monitor and Assure -The ORM Framework - Approach, Attitude Management & Risk Culture -Brand Protection, ‘normally’ and as part of incident management -Relationships with Legal, Compliance, Audit, Insurance and others 3. Risk Reviews & Assessment 2 Days -Risk Assessment Methods -Project Risk Assessment and Governance -Contribution of Key Risk Indicators, Key Performance Indicators and Key Control Indicators -ORM and Stress Testing 4. Reputation Risk Management (with the Reputation Consultancy Ltd) 2 Days + -Reputation risk assessment and risk registers -Assurance across the Extended Enterprise - ‘Normal’ management, and during change and incidents -Social media and Big Data analysis + Choice from four half-day workshops covering specific issues 5. Building a “Policy House” 2 Days -Scoping and developing Policy, Practices, Standards & Procedures -How to develop a visible, cohesive structure of mandated controls -Guidelines, promotion, implementation and sustainability 6. Extended Enterprise/Outsource Risk Management 2 Days - The Boundary of Control and the breadth and depth of the extended enterprise -Internal, External, Offshore and Chain Outsourcing -The extended ORM framework - ORM Assurance outside the boundary of control 7. Asset Risk Classification 1 Day -Classification and Assessment - The Classification Cube Model and its Implementation -The Classification Project Operational Risk Management Workshops (Primary Management Issues & Solutions) NT Hoppé Governance, Risk & Resilience Knowledge Transfer

Operational Risk Management Workshops (Key Risk Areas: How to Manage, Measure and Assure Them) 1. Assuring Resilience and Continuity 2 Days -Planning, Analysis and Comparison -Corporate resilience governance and assurance -Establishing an incident management and recovery capability -Scenario testing 2. Information Risk Management 2 Days -Information Risk as a strategic issue -Tope down, three-level sub-framework -Relationship with Information Technology Security and Information Security -Records Retention Risk Management -Privacy & Data Protection -Intellectual Property Protection 3. Process Risk Management 1 Day -Process Risk Assessment and Analysis -Converging pure process risk management with other KRAs -Process risk governance across the extended enterprise -Process Risk Management and quality assurance -Classification, measurement and reporting 4. Project Risk Management 1 Day - Blending with Six Sigma and Project Management Methodologies -Setting up the function for project approval, conduct and termination 5. Malfeasance Management 1 Day (Protection and investigation of deliberate acts against the organisation) - Developing and implementing a counter-malfeasance function - Investigations, Research, Operations & Oversight - Developing a proactive approach; Intelligence, Big Data and Supporting Structures 6. Human Resource (HR) Risk Management 1 Day (Protecting the organisation and its business from its people) -Recruitment risk management -Continuing HR risk assessment -Risk management in personnel termination and downsizing projects -Industrial relations monitoring - Risk training and communications 7. Personnel Protection & Physical Asset Protection 2 Days (Protecting the organisation’s people from the organisation) -Health & Safety when and wherever at work -Travel security, protection from and management of kidnap for ransom incidents -Property protection -Protective and detective systems 8. Organisation & Operations with Other Risk and Control Functions 1 Day The strength of relationship and formal network with: -Insured Risk, Legal Risk, Regulation & Compliance, Audit, Quality etc. 9. Operational Risk Measurement 1.5 Days -Key risk, performance and control indicators: What they are, how to use them, how to report them and how to forecast using them -Development and when to use ORM scorecards, heat-maps and footprints -Stress testing ORM, and within the firm-wide tests NT Hoppé Governance, Risk & Resilience Knowledge Transfer