© 2015 Deloitte 1 Managing third party risks September 2015 Challenges and trends

© 2015 Deloitte 2 Agenda What is third part risk? Why is it important? How can you address it? 2

© 2015 Deloitte 3 The extended enterprise is becoming the new normal and with that comes an increased dependency on third parties to operate your value chain Support functions Have potential effects across the entire supply chain Extended value chain Originates in upstream and downstream supply chain partners Internal operation Relates to internal processes DevelopPlanSourceMake Deliver/Return Tier N End-users Supply Demand Tier 1 Distributors 3 rd party services AgentsConsultants Suppliers Joint Ventures Distributors Contractors Partner- ships Company operations Key third parties

© 2015 Deloitte 4 The use of third parties is likely to continue to increase During the recession, many organizations push more of their business out to third parties in an effort to reduce internal costs across the extended enterprise. Optimization Regulators have become more focused on how companies are managing outsourcing and third-party risk in general, and the fines for violations have reached hundreds of millions of euros. Regulatory trends When millions of consumers are personally affected by a third-party system failure or security breach, or when a well-known company is heavily fined or repeatedly called out with regulatory MRAs (matters requiring attention), the reputation of the involved organizations can suffer. The importance of reputation The free-flowing nature of information plays a role: decades ago, a disruption in a local country would likely have stayed local; today it can quickly become a global issue. Free flow of reputation As a result of the escalating risk — and the escalating fallout when risk becomes reality — boards are paying more attention and asking more questions.

© 2015 Deloitte 5 If you ask the compliance officers, third party risk is already the no. 1 headache Source: Deloitte compliance trend survey Third party risk management is a top challenge... …and for good reason

© 2015 Deloitte 6 6 Agenda What is third part risk? Why is it important? How can you address it?

© 2015 Deloitte 7 Why is third party risk important? ​ It is not a new concept for organizations to engage with third parties for the provision of products and services, so why is third party management now so important? There are a number of factors driving organizations to place increased importance on third party risk, which can be broadly grouped into the following areas: Regulation Global regulators across a variety of risks and industries are taking risk management of third parties very seriously. Increased regulations are seen in a variety of areas, e.g. anti-bribery, corruption and data security. The global recession has driven many of our clients to outsource operations to third parties in an attempt to reduce costs. Market conditions Reputational impact Technology In an attempt to seek out low cost solutions organizations are increasingly using offshore outsourcing and supplier networks. This exposes organizations to inherent risks in trading with overseas suppliers as well as difficulties obtaining assurance of compliance. The appearance of specialist suppliers has led to some organizations becoming very reliant on the products / services from such suppliers. If that supplier was to fail to deliver, it could adversely impact the organization. Overseas providers Specialist suppliers A failure by a supplier to deliver against its contractual obligations can have a severe reputational impact on your organization, particularly if it leads to severe delays in service or an inability for your organization to continue to service its customers. The emergence of cloud computing has created new opportunities for firms but can also mean new risks to be mitigated. The impact of sensitive data being leaked would be highly detrimental to the organization, and there is a risk that outsourcing partners may have limited control environments to protect that data.

© 2015 Deloitte 8 Common third party risk categories that should be on the radar Solvency There is no business-wide ongoing monitoring of third parties solvency and therefore there is limited visibility of third party solvency and financial viability. Security The business does not have adequate visibility as to whether third parties are compliant with physical and information security policies, some of which are client requirements. This can increase with further outsourcing. Regulatory There is no central visibility of third party compliance with data protection act requirements, this increases the risk of breach by third parties, for which the business may be liable. Corporate responsibility There are no processes in place to consult with stakeholders from the corporate responsibility department in order to require third parties to protect the business’ brand and compliance with issues. Resilience There are no checks to ensure that business continuity plans have been completed and tested. Health, safety and environment There are limited processes to ensure contracts include health and safety standards or requirements, the lack of which may expose the business to HSE claims. Intellectual property Contracts are not consistently passed through IP or legal teams to protect our intellectual property from theft or misuse by third party suppliers. Billing and performance There is limited ongoing monitoring of supplier compliance against contractual terms and conditions. As a result, suppliers may be raising inaccurate charges or failing to meet performance standards through contractual non-compliance. Integrity There are no processes in place to: Ensure AML and ABC clauses are included within contracts. Conduct supplier due diligence. Ensure audit rights are inserted into third party contracts. Inspect on-going compliance with policies. As a result there is potential exposure to legal prosecution in the event of a breach by a third party supplier.

© 2015 Deloitte 9 9 Agenda What is third part risk? Why is it important? How can you address it?

© 2015 Deloitte 10 However, being on top of the third party risk profile often generates a number of challenges How can we align the due diligence performed with the risk presented by third party? Why does it take so long to perform the due diligence activities? How do you audit a third party? What type of due diligence activity should be performed? Which Third Parties should we be auditing? Why are we performing due diligence on so many third parties? How can we make the process more efficient and effective? What monitoring should we be performing? How can we assess the risk presented by the third party? How can we obtain more background information about the third party? How should we act on risks? What should the scope of the audit be? How far should we mitigate risks? How do we act on deviations? How do we monitor? IdentifyEvaluateMitigateMonitor

© 2015 Deloitte 11 Segment your third party base and direct your focus and efforts on the clusters of concern What risks can cause in-compliance and affect you license to operate? What risk can affect you product supply to end-customers? What risks can cause overpayments to/understated revenues from third parties? What risks can affect your reputation? What risks can affect your business strategy execution ? Legend High riskMid risk Low riskBlack swan

© 2015 Deloitte 12 Build and implement a structured framework to manage third party risk IdentifyEvaluateMitigateMonitor Scope of 3 rd parties Self-disclosure surveys Nature of relationship Risk Assessment Risk-based due diligence Identification of Red Flags Low, Medium, High risk Approve/Deny/Conditions Contracting (wording) Internal Controls & Tests Training & Certifications Monitor relationship Monitor transactions Monitor changes Periodic re-approval DATA Probability Impact Which risks should we focus on? Risk dashboards Risk prioritization Risk mitigation plans Risk dashboards

© 2015 Deloitte 13 Benefits of strong governance ​ Deloitte’s integrated third party governance and compliance framework solutions enable organizations to optimize their risk and compliance management processes and transform them into sustainable operational solutions. ​ Key benefits of effective frameworks: Increased transparency Demonstrate transparency on risk and control decisions made Ownership and active management Drive consistent compliance across multiple business units and individuals Alignment to strategy Third party risk- based segmentation and management is tied to the organization’s strategic business goals Live data for decision making Implementing a dashboard to increase efficiency and reduce reliance on spreadsheets for tracking Risk-based management Use segmentation and risk management to address increasing risk and severity of impact Regulatory compliance Consistently comply with regulatory requirements pertinent to the organization’s business activities Continuous monitoring Performance measuring and monitoring of third parties on a continuous basis

© 2015 Deloitte 14 About Deloitte Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 200,000 professionals, all committed to becoming the standard of excellence. Deloitte Touche Tohmatsu Limited Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.