Confidential

A Multinational Food Group

Our commitment to deliver quality and value to your business:

Turning risk into results

Technical Proposal
22 September 2014
Ernst & Young received a 'Strong Positive' rating in Global Enterprise Risk Management
Consulting Services Report MarketScope report issued by Gartner in 2012

Ernst & Young has maintained a risk management practice since 1995. This practice covers risk
management, compliance and regulations, risk-embedded performance improvement, internal audit, and
internal controls. It has established centers of excellence to develop research and innovation focused on risk
and performance models.
Gartner, Inc. is the world's leading information technology research and advisory company. During 2012, Gartner carried out a Market Scope
assessment on the enterprise risk management consulting capabilities of six global consulting firms.
 Contents
1 Our understanding of your requirements 03

2 Why EY? 10

3 Our proposed approach and work products 14 Our mission

4 Indicative timeline 54
Deploy our global knowledge
5 Our best team to assist you 56 and local depth to deliver
business-critical innovative
6 EY selected credentials 59 solutions that bring value to
7 Assumptions 70 our clients while meeting their
ever-growing expectation
Appendices

A Consultant Biographies

B ERM & GRC Tool

C EY Profile

D EY Tools

This document is being submitted to The Company A (“Company A” or the “Group”) for the purpose of describing Ernst & Young (EY) qualifications to provide the services outlined herein. In order to
describe its capabilities, EY has disclosed certain proprietary and other sensitive information, which if disclosed to third parties, might harm EY competitively. As a result, this document may not be
disclosed, used or duplicated - in whole or in part - for any purpose other than the evaluation of the EY technical proposition by Company A for the purposes of awarding a contract. In consideration of
receiving the disclosures, we request that Company A treats this document as confidential material. This document shall remain the property of EY. In the event EY is not awarded this project, EY reserves
the right to request the return of any and all materials included in this document.
 Our understanding of your
1 requirements
Introduction
The Company A

The Company A was established in 1979, with the objective of manufacturing and
marketing edible oil and vegetable ghee in Saudi Arabia. It is now one of the most
successful and fastest growing multinational food groups in the Gulf and the Middle East
Region, North African and Central Asian countries (MENACA), and has a wide portfolio of
businesses and activities including (Edible Oils, Vegetable Ghee, Sugar, Pasta, Retail
(Hypermarkets , Supermarkets and convenience stores ) and Plastics (flexible and rigid).
The Group also has significant investments in leading publicly-listed Saudi companies,
investment funds and real-estate businesses.

Background

Company A does not have currently any formal risk management policies and risk analysis,
mitigation plans and Governance, Risk and Compliance (GRC) tool to manage and mitigate
these risks that are being faced by various existing Business Unit levels. Company A would
like to hire a consultant to do the necessary field work to come up with an enterprise risk
Founded in 1979, one of the most successful
management framework and to support in identifying and implementing this ERM
and fastest growing multinational food groups framework through GRC tool that fits and facilities Company A business and decision
in the Gulf and the Middle East Region, North making process.-
African and Central Asian countries
(MENACA).

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 5
Our understanding of your requirements (cont’d)
Based on our discussion with you, we understand your following business requirements, which we have mapped to our proposed approach

Your requirements

1) Developing an appropriate ERM framework that can be easily understood and implemented across the Group.
2) Utilizing EY professional expertise in identifying the GRC tool that would best fit the Group and IT enabling the ERM framework though this GRC tool. The
work would involve preparing a Request for Proposal (RFP); recommend optimum number of licenses to be procured; performing an evaluation of at least three-
five GRC vendor proposals; recommending the best fit GRC tool to be implemented across Company A and ensuring the ERM framework defined by EY is
automated through this GRC tool.
3) End to End rolling-out of this newly developed ERM framework and utilization of the new GRC tool for three major departments across the Group: Finance in
Company A HQ; Strategic Sourcing (Supply & procurement) for Company A Food Company and Commercial in Aziza Panda United for Hypermarkets and
Supermarkets
4) Train the Trainers or Champions sessions who are going to be selected to lead the ERM implementation across the Group based on a well-defined plan
recommended by EY. The sessions will mainly focus on explaining in details the framework developed, the GRC tool functions and capabilities and
demonstrating a real life benchmark example of the three departments already rolled-out.

Mapped to our approach

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 6
Our understanding of your requirements (cont’d)
Also as per our understanding, you expect EY to perform the following

► Risk identification and assessment to be carried out based on the Framework developed and proposed by EY
► Risk framework and policies and procedures to be appropriately embedded in the GRC tool
► EY to perform quality assurance services base d on the milestone shared by the GRC implementation partners.
► EY to make 2 or 3 training courses (2-3 days each course) on the Framework developed by EY and the vendor will carry-out (1 to 2 days) on the GRC Tool to be
used by Company A.
► Company A would like to perform the risk assessment for its identified three departments through the GRC tool
► GRC tool to focus only on automation of Enterprise Risk Management (ERM) as part of this project

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 7
Our understanding of your requirements (cont’d) Your requirements mapped to our approach

Work stream Output Workshop

Work stream 0: Project D1. Project charter

initiation D2. Project Plan
D3. Meeting schedule

Work stream 1: Current - Workshop 1:

State Assessment Opening workshop (awareness):
► to launch the project
► to discuss our understanding of the
currents state with project manager
and or project sponsor and also
conduct workshop with key
stakeholder within the organization
► conduct workshop with “C”-suite
executives

Work stream 2: Develop D4. Group Risk Management Framework Workshop 2:

risk management D5. Group Risk Classification and Rating Criteria and Mitigation Plan effectiveness Criteria To discuss & validate appetite and
framework and business (Risk Appetite for the Group and the Business Units) GRC requirements
user requirement D6. GRC process controls requirement document (business user requirements)
definition for GRC tool D7. Risk procedures manual (Group level only)
evaluation D8. ERM organization structure and terms of reference of ERM Committee including job
description for key members of ERM function (maximum of 4-6 positions)

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 8
Our understanding of your requirements (cont’d) Your requirements mapped to our approach

Work stream Output Workshop

Work stream 3: RFP D9. Request for proposal (RFP) covering GRC License and implementation
preparation and GRC requirements
vendor evaluation D10. Vendor evaluation criteria
D11. Vendor evaluation report

Work stream 4: - Workshop 3:

Embedding the ERM Workshops for the GRC implementation partner
framework within GRC explaining the ERM framework and reporting
tool requirements

Work stream 5: Design D12. Design Review Report

review during GRC
Implementation

Work stream 6: Solution D13. Solution Review Report

Review during GRC
implementation

Work stream 7: GRC tool - Workshop 4:

train the trainer Workshops on GRC tool (Train the trainer) by
the partner

Work stream 8: Identify D14. Risk Register Workshop 5:

and assess risks to D15. Prioritized Risks based on survey results Workshop to present the results of risk
determine ‘risk that prioritization
matter’ using the GRC
tool

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 9
Our understanding of your requirements (cont’d) Your requirements mapped to our approach

Work stream Output Workshop

Work stream 9: D16. ERM reporting package (extension of the 'ERM Dashboard'), report template for
Reporting dashboard – Board of Directors, Risk Committee, Chief Executive Officer etc.
GRC tool

Work stream 10: ERM D17. ERM implementation plan

implementation plan

Work stream 11: Closing - Workshop 6:

awareness session Closing workshop

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 10
 Ahmed Taher
“Ernst & Young will commit to bringing you the right
people with the right experience to address your needs.
We have a balance of experience, methodology and
benchmark information that can provide Company A
with the information, support and guidance required
over the course of this engagement. We are happy to
reference all of our work and showcase our clients
satisfaction.”

2 Why EY
Why EY?
EY is familiar with Company A, its culture and core initiatives and all vital ingredients required to take on
A deep understanding of Company A this program. In addition, our previous strategic projects with Company A provide a detailed insight into
Company A’s needs and challenges. The team that has been proposed has already worked with Company A.

Ernst & Young's experience is built upon the development of the risk management strategy for leading
companies. Along with the proven global capabilities of providing ERM services to retail and diversified
Experience of developing the risk companies, the proposed team consist of Ernst & Young professionals who have actually provided enterprise risk
management framework for leading management and assessment services to companies in GCC. As part of the delivery, we have assisted companies
in defining the ERM framework based on different leading standards such as ISO 31000 and COSO.
companies in the region and globally&
We have our proprietary tools and accelerators such as ‘GRC Diagnostic Tool’ which expedites the whole process
proven tools for GRC of GRC tool evaluation ensuring that appropriate business requirement have also been considered while working
for Company A

The team proposed to deliver ERM project to Company A are key members of EY MENA Risk Advisory
Services. The team has necessary and in-depth experience related to the functions/operations of leading retail
and diversified companies, as well as business and financial risks of retail and diversified companies. Our
extensive global and regional experience would be leveraged to provide an unique value to you during
this project. Over 700 Advisory professionals in MENA alone allows quick mobilisation of resources. In
Dedicated team with the right mix of addition the latest collaboration tools such as MS Sharepoint, EY leads and a variety of other be-spoke
capabilities information systems allow our teams real-time inputs on the latest knowledge

EY has a formed a dedicated team to focus on GRC solution and these experienced resources would work
on GRC evaluation and quality assurance engagement. This team has diverse and extensive experience of
evaluating and implementing leading GRC tools such as BWise, Archer, MetricStream, OpenPages, Oracle
GRC and SAP GRC solutions and understand the key elements required to enable successful GRC
implementation

We support leading regional companies in retail and food sector and understand the challenges of the
Expertise of retail and food sector retail companies in the Kingdom and in GCC and know how to address them successfully

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 12
 EY
Our Understanding of Your Requirements
EY is the clear leader in providing risk advisory services to the largest global companies, capturing a larger percentage of the
market than all of the other Big Four firms combined. This allows us to provide the Company with more comprehensive
Key design controlsconsiderations
benchmarking, leading practice insights and consistent global coverage.

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 13
Al Hammadi– Proposal for Assistance with Development of Authorities Matrix 13
 EY’s strong focus on the GRC market in the Middle East region
EY is the leader in risk and compliance transformation area in the Middle East and North Africa region. We have IDC MarketScape Vendor Assessment shows EY as a leader in
executed complex and large-scale risk transformation projects across the leading organisations in the MENA region. both Financial and Accounting consulting services.
We are committed to ensure that EY is the GRC market leader in the MENA region. Our GRC team has wide array of
experience on different GRC tools such as BWise, Archer, MetricStream, OpenPages, Oracle GRC and SAP GRC
solutions
As part of this investment, Jonathan Blackmore, the EMEIA Risk leader, has relocated from London to Dubai to work
with the local partners to further increase their Utilities Risk footprint in the MENA region by leveraging and sharing
his knowledge and experience. Jonathan would advise Company A by participating key steering committee meetings.
In addition, Satish Yadav has moved from India to Dubai to support Jonathan and provides thought leadership around
GRC for the MENA region. Satish has worked on a number of complex and global GRC implementation and control
transformational programmes including Givaudan, Kraft, SABIC, Holcim Cement, Birla Carbon, Mahanagar Gas,
Essar Steel etc.
EY has build an EMEIA Advisory Centre of Excellence (EAC), that has a number of GRC specialist, who will support
the MENA team to provide thought leadership and share experiences, to drive efficiency and insight through your
GRC implementation. Sébastien Brasseur from the EAC, who will be the Subject matter expert (SME) has worked on
over 25+ GRC implementations over the past 10 years and will bring his knowledge and learnings to Company A.

Select Client Country

Marafiq: Design and implement ERM framework and organization transformation programme KSA

DEWA: Enhance the corporate Risk Management System UAE

Saudi Aramco – Control self assessment KSA

Reliance Industries – Enterprise risk management implementation in GRC KSA EY in MENA has a strong track record of successful engagements
across different sectors in ERM areas. The table shows a sample of
Mobily – GRC implementation KSA our strategic clients in the region that we have successfully worked
with and supported.

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 14
 Our proposed approach
3 and work products
 What Gartner noted about Ernst & Young risk management
approach?
Ernst & Young's approach focuses on the transformation of risk and control functions. This focus is employed in an integrated "risk
transformation" methodology that includes the following elements:
 Market Understanding — Ernst & Young rated highly in client surveys across a number of categories including risk management
consulting vision, leading innovation capabilities, objectivity and independence. This is most likely attributable to Ernst & Young’s
unique risk transformation approach that integrates business and IT risk management as well as its strategic alliances with key
technology vendors such as SAP.
 Market Responsiveness and Track Record — Clients rate Ernst & Young highly for its strong references, tenure of consultants and its
overall cultural fit with the client’s organization. In addition, Ernst & Young staffs their risk management project engagements with
consultants who possess a strong and deep business process consulting background.
 Customer Experience — Ernst & Young’s ability to influence senior management with respect to the changes required for successful
risk transformation is a clear strength. In addition, prior positive experiences have equated to consistent re-engagement by clients."
 GRC Technology Delivery — Analysis of client-risk-and-compliance-related business processes and enabling technologies to develop
business insights for specific risk events or situations (for example, business and IT process and controls monitoring and testing; access
controls and segregation of duties; data analytics; and data quality, structure, mapping and integration)
 Applied GRC Enablement — GRC technology development to generate business insights around a specific process or initiative to
manage risk, improve control or enhance process performance (for example, GRC platform implementation, business intelligence
dashboards, audit process enablement, risk system convergence and custom risk solutions)
 Enterprise GRC Technology Transformation — Creation of enterprise wide GRC technology strategy and infrastructure (for example,
GRC technology road map and strategy; risk and controls convergence initiatives; client current-state GRC technology assessment; GRC
architecture and proof of concept; GRC platform evaluation and selection; and information management program development and
initiatives)

Gartner, Inc. is the world'sThe

leading information technology research and advisory company. During 2012, Gartner carried out a Market Scope
Company A– Technical Proposal
Confidential — All Rights Reserved — Ernst & Young 2014 16
assessment on the enterprise risk management consulting capabilities of six global consulting firms.
 Our Proposed Approach
Following diagram illustrates EY’s overall approach along with work stream. It also illustrates involvement of third party during GRC implementation

0 1 2 8 10 11

ERM Framework
Identify
Development by ERM
and
EY Implementat
assess
ion plan
key risks
Develop risk
mgmt. Closing
Project Current state framework awareness
Initiation assessment and business session
user
3 4 5&6 7 9
requirement
GRC Tool
for GRC tool
Evaluation and Embedding Quality Assurance GRC tool
RFP Incorporate
support during ERM during GRC training
reporting
GRC preparation implementation (train the
framework dashboard in
implementation &GRC Vendor (Design & Solution trainer)
through GRC GRC
by EY evaluation review)
tool

GRC
implementation GRC implementation ( 3 departments)
by third party (OUT OF EY SCOPE – To be done by GRC implementation Partner)
GRC
Go Live

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 17
Work stream 0: Project initiation
Understanding Company A’s risk
management needs and capabilities
Company A activities
In this work stream:
Work products for work stream ► Develop and send out the project launch
► we will formally kickoff the project and perform
0: project planning. communication. This should include nomination of a
Project Sponsor and Project Coordinator.
► Meet Company A’s management to understand their
perspective & business objectives.
► Arrange for working space for our team members,
coordinating meetings with stakeholders and logistics
D1. Project charter ► Facilitate appointment of a Project Sponsor and Project
necessary for project activities .
Coordinator ( ERM Project Liaison) (if not already
D2. Project Plan ► Identify the participating members (CEO and VPs) and
appointed).
D3. Meeting schedule nominate Project Liaison.
► Review and approve the core project frameworks and
EY activities documentation standards.
► Agree project protocols.
► Agree and assign project management roles and
responsibilities.
► Agree project timeline (for all project phases) and
milestones.
► Identify key project tasks and dependencies.
► Agree project reporting protocols, frequency and tools.
► Agree project team assignments and reporting lines
(essential where joint EY and Company A teams are
working together on project execution).
► Agree procedures and timelines for review and sign-off
of work products by Company A.
► Develop meeting schedule.

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 18
Work stream 0: Work products illustration
D1 Project charter D2 Project Plan

D3 Meeting Schedule
ti ve
stra
u
Ill

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 19
Work stream 1: Current State Assessment
Perform current state assessment
This phase would involve interacting with key stakeholders to understand existing risk management practices and
Work products for work stream assessing the risk management needs.
1:
EY activities
- We will perform the following activities during this phase:
► Understand existing risk management practices, if any, against current industry practices to assess the risk
management needs
► Understand the current corporate strategic direction of the company
► Understand the Company A’s current IT maturity and technology landscape (For ERM tool perspective
► Understand the future state expectations
► Conduct interviews with key organization stakeholders to understand main requirements and expectation from the
GRC system which will be coordinated by Company A Internal Audit & Risk Management Functions across the
Group.
► Understand company’s ability to deal with the changes a new GRC system is likely to bring
► Understand the financial, technological and human resources capabilities vis a vis new GRC system
► Conduct an opening workshop with “C” suite executives for project kick off, to explain the approach and the
present current state of risk management activities, if any, in Company A.

Company A activities
Workshop 1: ► Arrange meetings with the key stakeholders for discussing GRC requirements with specific focus on ERM
Opening workshop (awareness): ► Develop and send out the project launch communication.
► to launch the project
► to discuss our understanding of the currents state
with project manager and or project sponsor and
also conduct workshop with key stakeholder
within the organization
► conduct workshop with “C”-suite executives

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 20
Work stream 2: Develop risk management framework
including business requirement definition for GRC tool
evaluation
Risk management framework
Establish the context A Risk Management Framework translates Company A’s objectives for risk management into a consistent process and
approach to decision making. In this step we will:

Communicate and consult

Monitor and review

Identify risks ► Define a Risk Management Framework, based on input from previous work stream covering the following key
elements:
Analyze risks ► Risk assessment criteria.
► Risk management policy and procedures.
Evaluate risks ► Process for risk assessment, prioritization, mitigation and reporting.
► Risk management governance structure with roles and responsibilities related to risk management.
Mitigate risks ► Emerging risk identification, escalation and redressed procedures.
► Periodic risk reporting framework.
Work products for work stream ► Propose ERM structure for Company A
2: Its all about your appetite — our approach
D4. Group Risk Management Framework We will follow a structured approach in articulating a risk appetite statement that will help Company A better understand its
D5. Group Risk Classification and Rating Criteria and sensitivity to risk, in pursuit of its objectives. During this step we will:
Mitigation Plan effectiveness Criteria (Risk ► Facilitate a workshop of VPs, to identify risk-bearing capacity.
Appetite for Group and Business Units) ► Facilitate the articulation of the risk appetite by assessing past decisions and events as well as risk philosophy.
D6. GRC process controls requirement document ► Link risk appetite with performance monitoring and reporting structure of Company A.
(business user requirements)
D7. Risk procedures manual (Group level only). Risk Policy and Procedures manual
D8. ERM organization structure and terms of reference The Risk Policy and Procedures manual will contain the Company A Policy and step by step description of the risk
(Group level only) including job description for management process. In this step we will:
key members of ERM function (maximum of 4-6
positions)
► Develop clear guidelines, process flows and descriptions for implementing Company A’s risk management framework.
► Work with your nominated Risk Champions to understand reporting requirements and accordingly develop reporting
lines, reporting content and timelines.

Workshop 2:
To discuss & validate appetite and GRC
requirements

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 21
Work stream 2: Develop risk management framework
including business requirement definition for GRC tool
evaluation (cont’d)
Business requirement definition for GRC tool evaluation
As part of this phase, business requirement would be defined to identify the scope for GRC tool. Business requirements to primarily focus on enterprise risk management needs of the
business

EY activities
We will develop :
► Develop Risk Classification & categorization framework
► Develop Risk Rating Criteria (based on impact, likelihood for each categories). – Risk Appetite
► Proposed a suitable integrated organization structure and reporting lines for Company A ERM to integrate the risk management within Company A and develop job description for key
members. (maximum of 4-6 positions).
► Develop terms of reference for oversight, if, required – based on the organization structure and reporting lines for Company A
► Develop policies and procedures manual for risk management
► Prepare a draft of business requirements based on the ERM framework defined by EY and Company A’s management expectation. EY to incorporate current GRC practices relevant for
Company A as part of this documentation which should be supported by the GRC tool. For this step we will use Proprietary GRC Evaluation toolkit (Refer Appendix D: Tools for
detailed on the GRC evaluation toolkit)
► Conduct a workshop with steering Committee of the Project including “C” suite executives to discuss and obtain approval on the risk appetite and discuss and validate the high level
GRC processes requirements drafted by EY

Ernst & Young scope of work does not include any development or implementation activities for the Business Continuity Management Framework or information security
policy/framework.

Company A activities
► Provide input and basis on risk appetite.
► Sign-off ERM positions/roles.
► Ernst & Young shall amend and update these comments and Company A shall provide one final set of review comments within five days of receipt which Ernst & Young will promptly
address. No further updates will be processed by Ernst & Young.
► Arrange and manage for a workshop location and facilities at its own cost, at Company A premises or any other location.
► Participate in workshops along with the relevant stakeholders for the GRC tool business requirements compilation

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 22
Work stream 2: Develop Risk Management Framework
Illustrative scope of enterprise risk management activities
D4 Risk Management Framework

Risk Governance Defining the risk strategy and

Risk Oversight and Accountabilities Compliance and Business Practices oversight responsibilities for risk
management to drive accountability
Risk Strategy and Appetite Reporting and Communications
across the enterprise

Integrated Risk Management Integrate risk management across

Risk Identification and Assessment Scenario Analysis and Stress Testing the breadth of the enterprise within
Risk Monitoring and Analytics Risk Based Performance Management
the ongoing business planning and
performance management
processes

Coordinated Risk Assurance Functions Coordinating the scope, people,

Scope and Coverage Methods and Practices processes and technology
Infrastructure and People Information and Technology
necessary to sustain an optimally
effective and efficient risk
management and compliance

Business Level Performance Enable the organization to

ve
ti
Self Assessment and Mitigation Metrics and Measures differentially manage key risk with
optimized processes and controls at ust
ra
Ill
Process and Control Optimization Programs and Major Initiatives
the business level

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 23
Work stream 2: Work products illustration (cont’d)
Elements of a risk appetite framework
D5 Risk Appetite

Risk capacity
The broad-based amount of Corporate risk
risk a company is
ABLE TO ACCEPT
profile

Enterprise-wide risk
Risk tolerance Risk appetite exposures (i.e., strategic,
operational, legal,
The maximum applicable to financial, etc.)
each category of risk that the Broad-based aggregate
company is willing to take amount of risk a
company is
Risk target WILLING TO
The optimum level of risk
ACCEPT
taken, aligned to expected in pursuit of strategic Strategic and
returns
and operational goals operational
plans / initiatives
Risk limits
Specific thresholds set for
monitoring tolerances and
ti ve
targets at a granular level
stra
u
Ill

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 24
Work stream 2: Work products illustration
D5 Risk Appetite D6 GRC Process controls requirement document

General Question Vendor response

GRC - Transversal Functionalities
Please describe how the organisation structure can be defined in your solution and what information can be stored
about entities
Strategic Operations Operations Financial Please describe how processes can be structured in your solution and whether it is possible to define multiple
Governance: Sales & Marketing: Tax Operations: Market: process levels
 Board Performance  Marketing  Property Taxes  Interest Rate
 Tone at The Top  Advertising  Tax Department Operations  Foreign Currency Please describe how controls can be linked to sub-processes and risks in your solution and whether controls can
 Control Environment  Research & Development  Tax Technology and Knowledge  Commodity
 Corporate Social Responsibility  Sales & Pricing Management  Derivatives be linked to multiple sub-processes
Planning and Resource A llocation:  Customer Support/Management
 Organizational Structure Supply Chain: Liquidity and Credit: Describe how risks can be linked to processes in your solution. And what information can be stored about risks?
 Cash Management
 Strategic Planning
 Budgeting
 Master Planning & Forecasting
 Procurement & Inventory
Compliance  Funding Please outline the ability of your solution to define users (profiles)?
 Forecasting  Production Code of Conduct :  Hedging
 Credit and Collections
 JV’s /Alliances and Partnerships  Distribution  Ethics
 Fraud  Insurance Outline the ability of your solution to define habilitation rights for users? And whether the user profile can be defined
 Technology Enablement  Transportation & Logistics
 Special Purpose Entities
 Tax Planning
 Transfer Pricing
Legal: Accounting and Reporting: from an application, organization and process scope
People:  Accounting, Reporting and Disclosure
Major Initiatives:  Culture  Contract
 Liability  Reporting and Information Integrity What configurations are available in your system (e.g. modify application labels, add/hide process/entity/risk/control
 Vision and Direction  Recruiting & Retention  Internal Control
 Planning and Execution  Development & Performance  Intellectual Property
 Anti-Corruption
attributes, create/modify attributes values.)? Outline which configurations can be delegated to the Client, and which
 Measurement & Monitoring  Succession Planning Capital Structure:
 Technology Implementations  Compensation & Benefits
Regulatory:  Debt configurations can only be performed by the software editor?
 Business Acceptance  Labor Relations  Equity
Mergers, A cquisition & Divesture: Information Technology:
 Trade
 Customs  Pension Funds Outline the ability of your solution to define for each single object (finding, recommendation, etc.) which role can
 Valuation and Pricing  IT Management  Stock Options
 Due Diligence  Information Protection
 Labor
 Securities
display / modify each field?
 Execution and Integration  IT Availability / Continuity
Market Dynamics:  Decision Support
 Environment
 Data Protection and Privacy
Describe the ability of your solution to track all actions performed by users (who is doing what, when) and whether
 IT Spend
 Competition
 Pricing Pressures  IT Architecture
 Product Quality/Safety
 Health & Safety
the full audit trail can be easily accessed by specific users. Outline if this is a technical log, or if functional users can
 Macro-Economic Factors Hazards:  Competitive Practices/
 Lifestyle Trends  Natural Events Anti-Trade easily display thoses audit trails.
 Customer and Platform Mix  Terrors & Malicious Acts  Tax Compliance and Tax
 Socio-Political Authority Examination Does your solution offer an integrated library (which enables users to attach documents to define hyperlink to
Physical A ssets:
Management
Communication & Investor Relations:
 Media Relations
 Real Estate
 Property, Plant & Equipment  Sales and Marketing external libraries)?
 Crisis Communications
 Employee Communication
 Inventory Does your solution offer document version management to help users to track previous document versions?
Can user access user rights be defined in the application, including the modification and access to documents
based on the users's profile?
GRC - Operational Risk Management
Outline the ability of your solution to create ad hoc IS/IT questionnaires. Does your solution offer a validation
workflow and reporting/dashboarding capabilities for ad hoc IS/IT questionnaires?
Outline the IT Risk management capabilities of your solution (e.g. an IT risk mapping excercise)
Outline the risk assessment capabilities of your solution (e.g. library of global IT risks, ability to customize global IT
risks, ability to new IT risks, ability to define mitigation actions)
Outline the IT risk management reporting and dashboarding capabilities of your solution (e.g. risk heatmap)
Outline the business continuity plan (BCP) capabilities of your solution and functionalities are offered (e.g. ability to
create BCP templates, perform impact analysis, perform testing, provide with crisis management support)

D5 Risk Rating Criteria and Mitigation Plan Effectiveness GRC - Internal Control
Outline the internal control management capabilities of your solution

Assessment Criteria Outline the ability of your solution to define a questionnaire campaign for self-assessment or testing (to define what
should be assessed, by a set of entities, and for a period of time).

ti ve
stra
u
Ill

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 25
Work stream 2: Work products illustration
D7 Risk Management Policy/Procedures

ti ve
stra
u
Ill

D8 Operating model of ERM

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 26
GRC solution – Key Benefits
GRC solution provides following key benefits to the business

Risk and control environment before GRC Risk and control environment after GRC

Risk and controls Spend less

time
diff ilable n

being streamlines
ava rmatio
in
os

compilation &
t si l

– ‘defined once, Single

Duplicate risk m e in more time
M or e t i used many times’
er en
I nf o

and controls repository of analyzing

d at a
across the t i on knowledge
compila base
solution
organisation
s
an nt
p l up me o t
n w e
c t i o ol l o o t ag n
an are d
Tra he da nge

A d f e n red Secured and

o f ha l l e

m ls an Homogenized
a n a r ni t o sk ro
cea ta i

Ri cont ized
ac
t

traceable data Effective and sustainable

o d
bil s

m & ptim are in a reliable monitoring – risk and control

o sh
it y

and Action plans knowledge

centralized and follow up
manner

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 27
GRC solution – Different Modules

Internal control Risk management (quantitative or qualitative)

 Formalization / management of framework  Risk identification (central / local)
 Questionnaire of self-assessment, documentation,  Risk assessment (risk cartography)
testing, indicators  Risk treatment (action plan)
 Action plan follow-up  Incident collect and follow-up


IC
Analysis and reporting ERM IC
 Analysis and reporting
t
di
ERM Au

ce
an Compliance
pli Audit
Co
m

Formalization and sharing of regulations
 Audit program and planning mgmt. framework
 Audit missions (work paper, …)  Assessment of regulation compliance
 Recommendations and action plan follow-up  Alert management and market information
 Analysis and reporting  Analysis and reporting

Internal Audit Compliance

Business Cont. Mgmt. Continuous Control Monitoring HSE / sustainability

Note: As part of the current project, GRC tool would be evaluated with ERM requirements and related considerations

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 28
 GRC solution – Risk Management focus and related modules

Enterprise Risk Management Project Risk Management

 Major risks universe (central / local)  Project and associated risks portfolio
 Risk identification  Risk assessment (cartography)
 Risk assessment and hierarchy (with  Incident database, back testing
workshop management)
 Quantification (cost a completion
 Risk aggregation
management, capital allocation to
 Major incident database manage project treasury)
 Treatment (action plans) Risk  Treatment (action plans)
 Pilicies and procediures follow-up
Management

IT Risk Management Operational Risk Management

 IT Risk universe  Risk framework (market, credit, country
risks, …)
 Risk assessment (cartography)
 Risk assessment (cartography)
 Incident database, back testing
 Quantification (rate, cover, insurance / re-
 Treatment (action plans)
insurance, financial impacts, …)
 Incident database, back testing
 Treatment (action plans)
Note: As part of the current project, GRC tool would be implemented to meet the ERM requirements and related considerations

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 29
Work stream 3: RFP preparation and GRC
vendor evaluation
GRC Product and implementation partner Evaluation Options
There are following two vendor evaluation options that can be considered
Work products for work
► Option 1: Evaluate and recommend GRC product partner first and then evaluate suitable implementation
stream 3: partner
► Option 2: Evaluate and recommend GRC system integrator/consortium (GRC product partner and
D9. Request for proposal (RFP) covering GRC License and implementation partner)
implementation requirements There are following benefits that Company A team can derive by opting for Option 2.
D10. Vendor evaluation criteria ► Faster evaluation and selection time (2-3 months)
D11. Vendor evaluation report ► No ambiguity on scope of work , its fitment in the GRC product and implementation scope
► End to end project ownership of the GRC product partner (product limitation is not a concern for Company A)
Considering the above benefits, EY would like to recommend Option 2 to be followed at Company A. Following
approach details have been worked out considering Option 2 to be followed at Company A.

Evaluate and recommend GRC system integrator/consortium

RFP Preparation
RFP containing the following key information needs to be prepared and shared with the GRC vendor
► Project objectives
► Key business requirements pertaining to ERM that need to be automated
► License and implementation requirements
► Technical and commercial criteria for evaluating the GRC product vendors

GRC System integrator/consortium Evaluation

Once the GRC vendors respond back with their proposal for both license and implementation components,
appropriate evaluation criteria's needs to be used to evaluate strength and weakness of each of the GRC
product/implementers. Vendor demonstration process to be used to asses ease of use, product fitment and scalability
of the solution as per Company A’s demonstration scripts.

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 30
Work stream 3: RFP preparation and
vendor evaluation (cont’d)
EY activities
We will perform the following activities during this phase:
Work products for work ► RFP Preparation and issuance
stream 3: ► Identify license requirements for ERM module of the GRC system
► Finalize functional requirements along with prioritization for evaluating a system integrator or consortium
D9. Request for proposal (RFP) covering GRC License and team (GRC tool and implementation partner)
implementation requirements ► Document vendor demonstration scripts and obtain business confirmation
D10. Vendor evaluation criteria ► Develop an expected GRC implementation plan including project management, change management and
D11. Vendor evaluation report support considerations
► Prepare the draft RFP document and get the sign-off from the business
► Suggest technical, functional and commercial evaluation criteria which needs to be used for the evaluation.
► Identify top three-five GRC system integrators or consortium teams which needs to be evaluated based on the
rating given by the leading independent research agencies such as Gartner and Forrester. Company A to issue
the RFP to these top three-five GRC vendors

► Evaluate the proposal and vendor demos

► Evaluate vendor response received from the GRC system integrators or consortium teams
► Assist in vendor brief meeting. Respond to the RFP clarifications received from the GRC vendors
► Evaluate the vendor responses on technical parameters and shortlist the vendors
► Provide the vendor demonstration scripts with test data to the shortlisted GRC vendors to assess the technical
capabilities of the GRC products
► Evaluate the vendor responses on technical and commercial parameters. For this step we will use Proprietary
GRC Evaluation toolkit (Refer Appendices for detailed)

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 31
Work stream 3: RFP preparation and
vendor evaluation (cont’d)
EY activities
► Support in finalization of the GRC System Integrator or consortium team
Work products for work ► Present the final evaluation report to the management
stream 3: ► Management to finalize GRC product
► Conduct workshop with Company A management to discuss and validate the high level GRC processes
D9. Request for proposal (RFP) covering GRC License and requirements drafted by EY
implementation requirements ► Support in finalization of the contract
D10. Vendor evaluation criteria Assist in finalizing the contract with specific focus on following areas
D11. Vendor evaluation report ► Scope of work
► Extension/delay clauses and Change request process
► License ownership and intellectual property rights
► Software upgrade terms
► Maintenance, warranties, arbitration procedures, Finalize the contract Present the final evaluation report to the
management
► Management to finalize GRC product
► Conduct workshop with Company A management to discuss and validate the high level GRC

Company A activities
► Finalize the list of three-five vendors who needs to be invited in the RFP process
► Validate technical, functional and commercial evaluation criteria for evaluating ERM product vendors
► Validate demonstration scripts which would be used for demonstrating the ERM solution by different ERM
product providers
► Issue the RFP to vendors
► Negotiate with vendors and finalize GRC product vendor
► Sign the contract with GRC system integrator or consortium team

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 32
Work stream 3: RFP preparation and vendor evaluation illustration
D9 Request for Proposal (RFP) D10 Vendor evaluation criteria

After the initial short- listing, a detailed evaluation matrix can be circulated to the
Scoring criterias to be incorporated in the RFP
short-listed product vendor

Score
Sl.No CRITERIA
Scoring legend sheet Measure Weightage Max Rating
Scoring legend 70%
Favorites 5 1 ERM Product Evaluation (no. of years, credentials) xx xx
Good 3 System Integrator Evaluation (no. of years,
2 xx xx
Baseline 1 credentials)
* Below baseline would be awarded zero ** For credentials not live; only 50% scores would be awarded 3 General Requirement (presence in UAE, consultants) xx xx
Detailed Source Baselin Favorite Functional business requirement (risk identification,
Category Good 3.1 xx xx
criteria reference e s risk assessment, risk classification, risk monitoring)
Product Brief 3.2 Package Configuration, Extension and Customization xx xx
Overall ERM Experience of SI 3.3 Flexibility and future scalability xx xx
Credentials relevant to retail
ve
3.4 Technical Interfacing / Integration / Conversion xx xx
and diversified industrial sector
ti 3.5 Security features xx xx

tra
Team Experience in retail and 3.6 Backup/Restore xx xx
diversified industrial sector
u s 3.7 Operational (Robust, user access, authorization) xx xx

Ill 3.8
3.9
Support
Licensing
xx
xx
xx
xx
4 Product Demonstration as per demo scripts xx xx
** TOTAL xx xx

Based on the information received from the vendor in the RFP and its appendices, Company A can use the detailed matrix for evaluation
Vendors Sl.No. Parameter Weightage Rating Max Normalized score
1 Functional XX 0 100 0.00
2 Technical XX 0 100 0.00
Vendor 1
3 Commercial XX 0 100 0.00
Total XX 0.00
1 Functional XX 0 100 0.00
2 Technical XX 0 100 0.00
Vendor 2
3 Commercial XX 0 100 0.00
Total XX 0.00

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 33
Work stream 3: RFP preparation and vendor evaluation illustration
D11 Vendor Evaluation Report

Functional – Based on GRC product demonstration Rating as per weightage

Demo Scripts results

21
19
17 15.3

13.2
15 13.4

13 10.5

11
9
7
5
3
1
Product 1 Product 2 Product 3 Product 4

Product 1 Product 2 Product 3 Product 4

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 34
Work stream 3: RFP preparation and vendor evaluation illustration
D11 Vendor Evaluation Report

This announcement appears as a matter of record only.

RISK AND BUSINESS SOLUTIONS RISK AND BUSINESS SOLUTIONS
RISK AND BUSINESS SOLUTIONS

1.10 Overall Scores 3 . Detailed Benchmarking Report 2 . Benchmarking Areas, Parameters and Weightage
The following is a diagrammatic representation of the comparative scores between XYZ2 Enterprise One, myXYZ1 ERP ECC6.0
3.1 Functional Fitment (50%) For details refer page 3 of Annexure I

Company A
&Microsoft Navison Dynamics based on the parameters and the methodology explained earlier in this document. Refer Areas and Weightage:
Annexure – I for detailed evaluation and corresponding scores. Exhibit 1- Functional Fitment
After the initial discussion with the PPL management
Functional Fitment
and a high level study of their key processes, the Sl. Criteria Weightage Maximum
Final Scores 11
14 functional requirements and parameters were No. Rating
100 50 11

38 36 identified. The relative importance of the given 1. General Features 10 85

GRC Evaluation Report

90 87 A pplication Security Management (45) 36
31
40 33 parameter in the overall scheme (Weightage) applied

Normalized scores
80 75 76 75 31 28
36 2. Functional Requirements 90 700
69
Functional 20 for the areas have been distributed according to the
70 66 68 30 23 22
62
Management A ccounting -
Costing (40) 27
32
32 business model as discussed with PPL. 2a. Production Planning & 50
17

Ratings
60
20 14 14 65
68 The areas within sections were given weightage Control
50 Technical
11 61
16 depending on their importance. Each section scores 2b Inventory Management 80
10 HR & Payroll (40)
19
32
40 36
18
were then normalized with their respective weightage.
30 0
37
37 (Refer Annexure I for details) 2c Purchase 85
Commercial 9
20 Technical (30) Functional (50) Commercial (20) Plant Maintenance (30)
17
24
Sr. No. Parameter Weightage 2d Sales & Distribution 60
6
10 7
8 1 Functional Fitment 50% 2e Exports 25
0 JDE E1 SAP ECC6.0 MS - NAV Research & Development (20) 18
23
JDE SAP Navision 9
2. Technical Fitment 30% 2f Research &Development 20
10
8
8
Exhi bit 1: ERP Eval uati on Composi te Scorecard Exhi bit 2: ERP Eval uati on Parameter comparison Scorecard 38
3. Commercial Feasibility 20% 2g Knowledge Management 10
Sales & Distribution (60) 49
47
The diagram illustrates how the three ERPs fare on suitability parameters based on the requirements of PPLOn the functional 46 2h Plant Maintenance 30
68
side, there is no major difference between the functional scores of the three ERPs. As they are relatively comparable. In 63
Each section had multiple parameters which were
54 2i Quality Management 50
technical aspects, XYZ1 & XYZ2 score almost at par, as these products are backed by large ERP focused organizations like Materials Management (80)
61
63
rated as follows:
XYZ1 &XYZ4 and the technical scalability and robustness is adequate and satisfactory. The absence of a large product suite 28
37 2j Human Resource & Payroll 40
31
and technical scalability within the same product family are the major areas where XYZ3 did not scale up to the peer product 64
Rating scale 0 to 5
General (85) 67 2k Finance 85
scores. Further the market positioning of the product targeted solely for Small and Medium scale Business (SMB) and lack of 65
0 – No fit
any established credentials in similar industry also was a factor to consider. 0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90
1 – Heavy customization 2l Management accounting 40
The commercial comparison reveals that the TCO for XYZ3 is the least hence it scores over XYZ1 &XYZ2 in this aspect. XYZ1 & 2 – Work around 2m India Localization 50
XYZ2 score almost equally based on the initial prices quoted by them. Refer Annexure – I for detailed evaluation and JDE SA P Navision
3 – Simple customization (free of upgrade),
corresponding scores. 2n Application Security 45
Exhibit 4: Functional Fitment Analysis 4 – Direct fit
Attached below is the composite score card after applying the weightage for Functional, Technical &Commercial aspects. This Analysts Commentary : 5 – Exceeds expectations 2o Add- ons (CRM,SRM, etc) 30
is to rightly represent the individual scores in line with the importance that PPL assigns to these aspects. As can be derived Functional Fitment is an important consideration of any ERP evaluation. Though most ERP s offer similar functionalities and The weights were defined to underline the relative
from the table, the composite score of XYZ1 is the maximum followed by XYZ2. possess comparable features the extent of configuration involved and ease of configuration and maintenance. Tabl e A: Functional matri x
importance of each area in the RFP.
Sr.No. Parameter Weightage Rating Max Normalised Score  General Features: Amongst the general features under consideration, XYZ2 scored better that XYZ1 in terms of facility As seen above, the weightage has been assigned based
of 100 In addition to the weights assigned to each component on the importance associated with it as per the PPL
for self training and system enabled documentation. This is due to the availability of UPK ( User productivity kit) which indicated in the above Table :A, Further detailed
JDE E1 makes this feature easy to use. However XYZ1 scores over XYZ2 in the BI (Business Intelligence) aspects as the tool is management. Most important functions like Finance,
weights were also applied to all parameters based on Purchase and Inventory management have been
I Functional 50 66 100 33 located in a separate server with pre-loaded info-cubes which can slice & dice data very effectively. BI for XYZ2 is built in importance attached to it. assigned with maximum weightage. Following these are
II Technical 30 75 100 22 the various functions/ modules and appears to be less effective t han XYZ1. Scalability in XYZ2 may also be a concern as
III Commercial 20 69 100 14 The above were discussed and finalized with PPL ERP the functions like Sales , Distribution, Production and
each element is priced differently. XYZ3 may have to be customized to achieve a few essential features like maker
Total 100 69 project management team before the release of RFP to Quality management. Last but not the least are
checker control in master data.
the vendors. functions related to India localization, MIS, Plant
SAP ECC6.0
 Business functions: XYZ1 and XYZ2 are comparable in most of the business functions considered for evaluation. XYZ3 maintenance, etc. Also considered for the evaluation
may have to be customized to achieve a few essential features in critical business functions like Sales , Production. The Functional Fitment are aspects related to applications security and add-
I Functional 50 76 100 38
II Technical 30 75 100 23
aspects related to Plant maintenance have been mentioned as ‘not available’ in the response by XYZ3. HR & Payroll have The main criteria considered for functional fitment ons like CRM ( Customer Relationship Management),
III Commercial 20 68 100 14 also been mentioned as an add-on rather than a standard feature in the ERP. XYZ1 & XYZ2 have been evaluated as were as shown in Table A. It includes two sub-sections, SRM (Supplier Relationship Management) etc. with the
capable for interfacing capabilities with the machines and production systems such as Esko graphics and Heidelberg (10:90 weightage) with one for general features perspective of scalability of the ERP. Plant
Total 100 74
currently used by PPL. In Inventory management , none of the ERP have gate entry module as desired by PPL. Contracts in expected from an ERP. The second section includes the maintenance and Knowledge management though
Purchasing are a well developed functionality in XYZ1 as compared to XYZ2 and XYZ3. For Export -Import documentation, important functions of the business processes like currently not the focus areas for PPL, have been
MS - Navision
XYZ1 has recommended a third party software created by IVL while XYZ2 (XYZ4) has recommended a similar add-on Finance, Sales &Distribution, Purchase, Production etc. considered for the ERP evaluation as these may be
I Functional 50 62 100 31
software by Chenab. Interfacing of CADfiles with XYZ1 may be easier than with XYZ2 and XYZ3 due to availability of DMS Based on discussion with PPL management, the implemented in the future.
II Technical 30 36 100 11
III Commercial 20 87 100 17 ( Document management system). India Payroll is not available as a standard feature in XYZ2, is a standard feature in weightage for each of these criteria were assigned.
Total 100 59 XYZ1 while it can be managed in XYZ3 by using an add-on software. Most important differentiator is the India localization
( includes local taxes, VAT, Excise etc.) where XYZ1 has a integrated functionality while XYZ2 and XYZ3 could not 10
Exhi bit 3 : ERP Eval uati on -Composite Scorecard Report Number : 2007-Mumbai-0159
demonstrate the same in the written response and the subsequent product demonstrations.
Report Number : 2007-Mumbai-0159 1
Report Number : 2007-Mumbai-0159 12

ti ve
stra
u
Ill

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 35
Work stream 4, 5 & 6: Detailed Approach – Embedding ERM framework in
GRC and Quality Assurance
The following diagram illustrates the various stages in the GRC implementation and the services offered by EY as part quality assistance
i.e. Design Review and Solution Review during the course of GRC implementation.

Project Functional Technical Go Live and

Build Test
Preparation Design Design Support

4 6
5
Embedding ERM
framework in GRC Design Review Solution Review

EY Role Third Party role

GRC implementation stages and EY involvement

Work Stream EY Activity Details

4 Embedding the ERM Provide the functional requirements pertaining to ERM framework to GRC implementation
framework in the GRC tool partner so that it is considered as part of functional design
5 Design Review Review the ERM design document and validate whether processes such as risk assessment, risk
classification/prioritization and risk monitoring have been appropriately mapped in the solution
as defined in the ERM framework document
6 Solution Review Review the final build/configuration of the GRC solution vis a vis design document, test the
business processes and identify any gaps vis a vis leading practices

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 36
Work stream 4: Embedding the ERM framework
within GRC tool
ERM framework and its integration in the GRC tool
► EY to conduct the knowledge transfer workshop for the selected GRC implementation partner so that it understands
Company A’s current risk and control set up and ERM framework and related requirements defined by EY.
Work products for work stream ► EY to provide the required clarification to the GRC implementation partner on the ERM framework
4: ► Business process requirements provided by the EY team to be used by the GRC implementation partner in functional
and technical design

EY activities
► EY to conduct workshop for the GRC implementation partners and perform knowledge transfer of above reporting
requirements and ERM framework to the GRC implementation partner

Company A activities
► Participate in the knowledge transfer workshop conducted for the GRC implementation partner

Workshop 3:
Workshops for the GRC implementation partner
explaining the ERM framework and reporting
requirements

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 37
Work stream 5: Design review during GRC
Implementation
Functional and Technical Design (to be performed by the GRC implementation
partner)
Work products for work stream Activities performed by the GRC implementation partner
5:
• The GRC implementation partner would attend the workshop conducted by EY. EY to perform the knowledge transfer
to the GRC implementation partner pertaining to the ERM framework developed .

• The GRC implementation partner would define the master data structure such as Process, sub process, risk and control
in the functional design document as required for the ERM tool based on the framework developed by EY.

• The GRC implementation partner would leverage Company A’s existing risk data (strategic, operational, compliance and
financial) identified by EY as part of the ERM project.

• The GRC implementation partner to map the risk assessment framework in the GRC system. The partner will map risk
appetite, risk responses, mitigation plan, key risk indicators and Company A’s reporting requirements in the ERM
module of GRC.

• The GRC implementation partner to prepare the functional design document mapping the ERM framework and related
requirements defined by EY. The GRC implementation partner to also prepare the technical design document wherein
Company A’s workflow, alerts and reminders related requirements will be mapped in its ERM module

• The GRC implementation partner to conduct the workshop explaining the functional and technical design document to
the Company A team. The functional and technical design document to be signed off by Company A’s core team and
business process owners.

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 38
Work stream 5: Design review during GRC
Implementation
Functional Design Review during GRC implementation
GRC implementation partner would prepare the functional design document highlighting how the ERM framework and
related business requirements are mapped in their GRC product. This phase would commence post the submission of
Work products for work stream functional design document by the GRC implementation partner to Company A for its validation. Objective of this phase
5: would be to ensure that ERM business requirements are appropriately mapped in the functional design

EY activities
We will perform the following activities during this phase:
D12. Design Review Report
► Review the design strategy and standards adopted by the implementation partner
► Participate in the functional workshops to ensure that the implementation partner correctly understands the business
requirements
► Review the functional design document prepared by the implementation partner against the scope of work defined as
part of the RFP document and ERM framework defined by EY
► Review the development list submitted by the Implementation Partner

Company A activities
► Identify representatives from Company A and the Implementation Partner for this engagement
► Provide management approved deliverables for the design phase which have been shared by the implementation partner
► Provide development list as submitted by the Implementation Partner
► Facilitate meetings involving resources from both Company A (process owners) and the Implementation Partner on a
timely basis, as and when requested
► Provide required information to facilitate timely completion of the deliverables

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 39
Work stream 5: Design review during GRC
Implementation

ti ve
stra
u
Ill

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 40
Work stream 6: Solution Review during
GRC implementation
Solution Configuration and Development (to be performed by the GRC
implementation partner)
Work products for work stream Activities performed by the GRC implementation partner
6:
► The GRC implementation partner would configure the solution and align it as per the functional and technical design
documents signed off by the Company A’s business core team and business process owners
► The GRC implementation partner would perform the testing before the solution is being handed over to the core team
for the unit/integration/user acceptance testing
► The GRC implementation partner would conduct the training for the Company A’s core team so that they can conduct
the testing (unit/integration/user acceptance testing)
► The templates for the test scripts to be used during unit/integration/user acceptance testing to be provided by the GRC
implementation partner. The test script data compiled by the Company A’s core team to be reviewed by the GRC
implementation partner.
► The GRC implementation partner to resolve the issues which are being reported during solution testing by the Company
A’s core team or the EY team
► The GRC implementation partner to prepare the training document and configuration document. These documents to be
used during the end user and core team training provided by the GRC implementation partner
► The GRC implementation partner to train the core team in the GRC configuration area such that Level 1 and Level 2
calls post GRC implementation can be carried out by the core team directly.
► The GRC implementation partner to define the authorization access in the production environment based on the
requirements given by the core team.

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 41
Work stream 6: Solution Review during
GRC implementation
Solution Design Review during GRC implementation
GRC implementation partner would configure the GRC solution referencing the functional and technical design documents.
GRC implementation partner would test the solution first and then hand over the system to Company A core team for their
Work products for work stream testing. This phase would commence post hand over of the system to Company A core team by the GRC implementation
6: partner. Objective of this phase would be to ensure that GRC system is tested comprehensively to validate its conformance
to the functional design document and also to confirm that there are no major bugs in the system.

EY activities
D13. Solution Review Report
We will perform the following activities during this phase:
► Review unit test scripts proposed by the implementation partner and recommend changes based on the coverage of the
design documents
► Review the GRC configuration and analyze its alignment to the design document. Verify whether ERM processes have
been adequately mapped
► Test sample processes for operating effectiveness in the test environment as necessary
► Evaluate the opportunities for optimizing the ERM application functionality defined in the GRC application and
recommend the use of leading practices
► Review the System Integration Test Scripts proposed by the Implementation Partner and identify the improvements
areas (if any)
► Participate in meetings with the GRC implementation partner and Company A team to discuss the user acceptance test
plan

Company A activities
► Provide updated GRC design documents prepared by the GRC implementation partner to EY team
► Facilitate meetings with key stakeholders and the implementation partner
► Provide required testing data and information as necessary to facilitate timely completion of the deliverables
► Provide application access in the GRC quality environment for executing transactions and display view of the
configuration
► Arrange for infrastructure as required for the review

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 42
Work stream 6: Solution Review during
GRC implementation

ti ve
stra
u
Ill

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 43
Work stream 7: GRC Tool Training (train the trainer)
EY activities
► Participate in meeting with the management of Company A and GRC project management team to discuss the overall
approach to training based on the following considerations:
Work products for work stream ► Number of end users to be trained for each location, department and function
7: ► Training methodology
► Training infrastructure
► EY to finalize the training strategy and training plan along with Company A management and the GRC implementation
- partner
► EY will guide GRC implementation partner during preparation of the GRC training material. EY to asses training
provided by the GRC implementation partner. Based on the feedback from Company A’s key users, EY to get specific
training conducted through the he GRC implementation partner where end users/core team require more clarity.
► EY to follow train the trainer approach for the GRC training. As part of this approach, core team to get trained first and
then it will provide the training to the end users. EY will get 2-3 training workshops (for 1-2 days each workshop)
arranged through the GRC implementation partner for the core team . EY would be overall responsible for the GRC
training and get the training conducted through the GRC implementation partner.

Company A activities
► Project Coordinator to arrange participation of Core Team, Risk Champions and other relevant personnel.
► Participants to attend the sessions.
► Project Coordinator to arrange location and facilities, at Company A premises or any other location.

Workshop 4:
2-3 training workshops on GRC tool (Train the
trainer) by the GRC implementation partner

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 44
GRC Implementation – Stakeholders & Roles
How it all fits together
Company A Project Core Team GRC Implementation Partner
 Bring process understanding and act as a  Prepare ‘to-be’ process design &
contact between top management & ERM process mapping solutions
project  Train the Client core team
 Share the business requirements with the  Perform system configuration
GRC implementation partner and EY team  Software customization, if any
 Test the solution and provide  UAT, functionality Testing,
training to the end users Core  Data migration support
 Assist in implementation at all Team Implementer
 Provide system documentation
stages of design, testing and roll-  Cut-over and roll out strategy
out People
 Take over the GRC system
subsequent to go-live stage

Process Technology
 Ernst & Young (will work as an
extended arm of Company A)
 Define the ERM framework
Steering Committee  Provide the ERM business
 Provide guidance to the ERM Steering Ernst & requirements to the GRC
team Committee implementation partner
Young  Perform design and solution review to
 Resolve conflicts, if any and
asses the alignment of GRC
address cross functional issues
implementation partner’s deliverables
 Monitor progress of the overall
vis a vis the ERM framework defined
implementation by EY and leading industry practices in
the ERM area

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 45
Work stream 8: Identify and assess risks to
determine ‘risk that matter’ using the GRC tool
Risk identification, assessment and prioritization
► Risk Register.
Vote and Report screen ► Identify risk at inherent level.
to see results at first glance ► Facilitate management assessment of risks.
► Facilitate Risk Prioritization.

EY activities
► Conduct desktop research to develop an indicative ‘going in’ risk register using Ernst & Young’s Risk Universe
knowledge base, experience from similar ERM engagements and inputs from relevant senior executives.
► Circulate the indicative risk register to the identified stakeholders of three departments as a reference before the meeting.
In total, we will conduct 12-15 meetings.
► Finance in HQ,
► Strategic Sourcing and Supply, procurement, in Food
► Commercial in Aziza Panda

► Conduct risk and control identification meeting with executives and incorporate meeting results utilizing the GRC tool
► Consolidate the results using the tool and generate a Draft Risk & Control Register for the three departments
► Share the consolidated risk register to Project Manager & Sponsor for their input.
► Based on feedback received, conduct risk rating an control design rating. Prioritization of the risk identified – using

ve
GRC tool. Risk prioritization will be done based on the agreed protocols with selected executives

ti ► Present the results of the risk prioritization to Project Manager with Project Steering Committee. For this we will use

stra GRC tool which enable groups to assess risks and reach consensus on risk rating, in a highly efficient process that
u
Ill
frequently takes only half the time of traditional methods.
► Control identification will be carried out and assessment will be done at design level. No testing or verification of
existence and effectiveness of the control will be done

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 46
Work stream 8: Identify and assess risks to
determine ‘risk that matter’ (cont’d.)
EY activities continued
Risk rating should be done at gross level/inherent level only. Residual risk shall be derived by the GRC tool based on
Work products for work control design rating by management.
stream 8: While performing risks and controls identification meetings, we will be identifying 22 to 27 risks and their related controls
for each department, mentioned in the scope, for the purpose of ERM and GRC.
D14. Risk Register Company A activities
D15. Prioritized Risks based on survey results
► Functional Heads (VPs and other key executives) to make themselves available for meetings
to discuss the risk register. Function Heads may choose to involve other team members during
the meeting to seek inputs.
► Function Heads to validate and approve the Function wise Risk Libraries within two days of the meeting.
► Function Heads may decide to call his team members during the meeting to seek inputs.
► In case, the Function Head does not have correct info on the subject/function (as he may be a new joinee and transferee).
It is the responsibility of management and Project Liaison to nominate an appropriate member of senior management
level for discussion on risks.
► Project Sponsor to approve Draft Risk Register before Workshop.
► Project Coordinator to arrange for a workshop location and facilities, at Company A premises or any other location.
► Project Coordinator to arrange participation by Functional Heads and send invite for Workshop.
► Functional Heads to participate in the workshop and the survey.
► Participants to respond on each risk for the following elements — impact of risk, likelihood of occurrence of the risk
and current mitigation plan effectiveness, based on the criteria agreed as part of Work Stream 2 – ERM Framework
► Project Sponsor to review and approve the Survey Results for the next stage.

Workshop 5:
Workshop to present the results of risk prioritization

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 47
Work stream 8: Identify and assess risks to
determine ‘risk that matter’ (cont’d.)
A risk classification framework developed on the basis of the understanding of the objective/process linkage provides a structure to the process of ‘thinking’ about the organizations risk
exposures

Compile BU/Function wise indicative

Risk Libraries using ‘Ernst & Young
Telecom Knowledge Databases’ and
secondary research.

Structured interviews with the

identified stakeholders

Risk register
e Group discussions with the
tiv identified stakeholder
tra
Ashok Leyland Limited
RISK LIBRARY

s groups
Risk Sub- Mitigation Plan
Sr. No. Risk Event Description Risk Category Consequence Probability
Category Effectiveness

u
The company may enter into contracts without adequate

Ill
knowledge of commercial and international laws which may
be detrimental leading to fines and penalties.
Absence of proper knowledge / understanding / updating of
legal provisions either existing or those that have changed
may lead to costly litigations / financial burden. Eg.
Inadequate knowledge / incorrect interpretation / faulty
provisions for availment of CENVAT credit on ineligible
understanding / non compliance of various laws/legal
documents such as photocopies / duplicate copies of
1 provisions on contacts, indirect taxation, GST, budget, etc Compliance Legal
invoices, ineffective identification and compliance with
results in non-compliance leading to penalties, litigations,
different labor legislations (e.g. Factories Act, EPF Act, Bonus
fines, etc
Act etc.) across regions in areas such as employee benefits,
overtime, contract manufacturing, bonus, proper record
maintenance etc. may result in Essar Steel facing imposition
of fines, penalties, labor related liabilities, etc.
Govt is getting stricter day by day and non compliance can
even lead to abolishment of jobs under contracts.

Absence of a legal vetting process / inhouse expertise Inability to identify and prevent legal risks posed by contracts
resulting in: and other commercial transactions and prevent non-
1. Inability to clearly identify and limit liability under compliance with regulatory requirements due to inadequate
contracts in-house legal expertise. This may result in continuous
2 2. Exposure of business to unforeseen liabilities dependence on external law firms for legal opinions and also Compliance Legal
3. Inability to insure business against contractual and defend the company in case of litigations and law suits. This
legal risks not only raises the legal costs but may also result in
4. high legal costs confidential information being disclosed by such law firms.

Pending Litigation could lead into: Litigations pending against the company for Rs. 1300 Crores
3 1. Hefty Payments reducing companies profitability for which disclosures are provided in the Annual Reports Compliance Legal
2. Lower Net profits
Failure to identify and minimize exposure to geopolitical, 1. Non-compliance with Federal/State/Local government rules
regulatory and fraud risks via international business and regulations in countries in which the Company operates
dealings. Leading to: e.g., occupancy permits for buildings.
4 Compliance Regulatory
1. Uncalculated exposures 2. Exposure to fraud in emerging markets.
2. Non-compliance with local laws 3. Absence of control of ownership for operations at
3. Legal suits international locations
Sub optimal relationship with Tax Authority and lack of Sub optimal relationship with tax uthorities may result in not
5 understanding of the requisite permissions or getting requisite permissions for smooth operation of Compliance Operational
jurisdictional authorities business
Non performance of contracts (post execution) resulting in Post execution a number of contracts may be lying unfulfilled.
contractual penalties Non performance may lead to contractual penalties being
6 Compliance Legal
imposed on the Company and a loss of goodwill in the market.

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 48
Work stream 8: Work products illustration (cont’d.)
D14 & D15 Risks prioritization
MSIL Entity Level RTMs Business vertical view
High

Administ Engineeri Corporate

Business Unit View

Improve
1
Monit or M&S Production Supply
3
6
High High High
Chain ration ng Services High High
High

2 5 12 Improve 1
Improve Improve Improve 1
Monit or Improve 1
Monit or
Monit or 1
Monit or 1
Monit or Improve
Ris k expos ure

1
Monit or
9 2
3
6 2
3
6 2
3
6 2
3
6
2
3
6 2
3
6

12 12 12
12 12 12 4 5 4 5
5

Ris k e xpos ure

4 5 5
4

Ris k expos ure

4 4 5 9

Ris k e xpos ure

4

Ris k expos ure

9

Ris k expos ure

Ris k e xpos ure

9 9 9 9

7 8 8 7 8
7 8 7 8 7 8 11 7
11 11 11 7 11
11 10
11
10 10
10 10 10
Emerging Accept / Opt imize Eme rging Acce pt / Opt imize Emerging Acce pt / Opt imize Acce pt / Opt imize Emerging Accept / Opt imize Emerging Acce pt / Opt imize
Emerging
8
10
Low Low Low
Low Low Low

Eme rging Acce pt / Opt imize Low Low Manage me nt pre pare dne s s High Low
Manage me nt pre pare dne s s High Low Management preparednes s High Low Management preparednes s High Low Manage me nt pre pare dne s s High Management preparednes s High

Low
Low Management preparednes s High

Risk Pillar View

High

Improve 1
Monit or
2 6
3
Ris k e xpos ure

12
4 5
9

Strategic 8

10
7
11

Emerging Acce pt / Opt imize

Low
Low Management preparednes s High

High

Improve Monit or
Category view

1
Ris k e xpos ure

2 6
10

Operational
5
4
3
9
12
8 11
7

Emerging Acce pt / Opt imize

Low
Low Management preparednes s High

High

Improve Monit or

Economic
Ris k e xpos ure

1
6
2
12
3
5 7 9

4
8 11

Emerging 10
Acce pt / Opt imize

Low
Low Management preparednes s High

High

Improve Monit or

Social
Ris k e xpos ure

1 4 6
2
12
3
5 9

Emerging Acce pt / Opt imize

Representative Example – Consolidated category and Business vertical Views

7 11

Impact
8
10
Low
Low Management preparednes s High

Comprehensive view of risk prioritized on the basis of impact an d probability

Likelihood
 The organization has the  Significant risk exposures
necessary information to are escalated on a
manage and monitor the consistent basis to support
significant risks facing the the efficient allocation of
corporation – strategic, resources for assessment,
compliance, operational, improvement and
and financial. monitoring.

Likelihood

ve
Financial / Reporting Operational Compliance / Legal Strategic
Strategic
Strategic Risk
Risk Profile
Profile

ti
stra
u
Ill

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 49
Work stream 9: Incorporate reporting
dashboard in GRC
Incorporate Reporting Dashboard
Based on the Enterprise Risk Management Framework and management's requirements. develop ERM reporting template
within GRC tool which will enable Risk Champions & top management, risk champions, stakeholders (including Audit,
Work products for work stream Risk Committees) to understand the most important risk on business unit and corporate level as well as to gain a
9: comprehensive view of Company A overall risk profile.
GRC implementation partner would incorporate the reporting dashboards in the GRC system. Company A and EY team to
check and confirm whether reporting requirements are appropriately addressed

D16. ERM reporting package (extension of the 'ERM

Dashboard'), report template for Board of
Directors, Risk Committee, Chief Executive
EY activities
Officer etc. ► Provide required inputs such as ERM reporting protocols and template to the GRC implementation partner so that it can
be incorporated in the GRC tool
► Define reporting pack. This includes
► Compliance with ERM policy / framework

► Risk Assessment Results

► Tailored Information

► The ERM reporting dashboard will not be any software/IT solution specific and will be based on PowerPoint slides
► GRC implementation partner would incorporate this reporting dashboard into the GRC system. EY to check and confirm
whether dashboard reports developed in the system are in line with reporting requirements shared by EY

Company A activities
► Approve the work products
► Facilitate meetings with key stakeholders and the implementation partner
► Provide application access in the GRC quality environment for executing transactions and display view of the
configuration
► Arrange for infrastructure as required for the review
► Confirm whether dashboard reports developed in the system are in line with reporting requirements agreed with EY
team

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 50
 Work stream 9: Incorporate reporting dashboard
in GRC – illustrative deliverables
D16 ERM reporting dashboard
Content
Dashboard (Enterprise Level)
The content of the enterprise level risk dashboard would need to be agreed with key stakeholders. It
Leading organisations develop Leading practices – process
represents a balanced and aggregate view of all risk data. Typically it would include information
information risk dashboards to
Information Risk Dashboard (Enterprise Level)
Management preparedness factors as well as the design and performance of controls is used to
calculate residual risk which is the risk exposure considering inherent risk and mitigating factors.
such as:
facilitate effective oversight of High 25.0
Key Risks
Res idual
ris k no. Illus trative res idual ris ks
Risk Treatment Plans • A risk heatmap (visual) depicting the most significant information risks
information risks and monitor
1
Improve Monitor
1 Emerging Markets –Growth

• Risk descriptions, ratings and a summary of key controls

2 Liquidity —Cash Management
20.0
6 Controls 3 Key Supplier Dependence
3
4 Debt –Cost of Capital
2 5 12
5 IT –Security and Privacy
15.0 9

adherence to the risk appetite.

(Impact x likelihood)
6 Sourcing - Global Competition

Risk exposure
4

Risk appetite, including whether the current risk rating is within the risk appetite
7 7 IT - Infrastructure Efficiency

•
11
8 J oint Venture Relationships
10.0 8
10 Ineffective Financial Planning
9
and Forecasting
Monitor Accept Competitive Recruitment and

This would also involve the

10
5.0 Retention
Risks Optimize Focus and alignment of
11

Status of ongoing risk mitigation activities (if any)

Acquisitions and Integration

•
Evolving Regulatory Changes –
12
0.0 United States Markets
Low
1.0 2.0 3.0 4.0 5.0

creation of a comprehensive
Low Design and performance of controls
High

I( • Mapping of assurance coverage for the risks

process for tracking and Risk Findings Loss Events • Key risk indicators (advanced)
monitoring of information risk
and population of the risk The content of the dashboard would typically evolve over time as the organisation’s information risk
dashboards. management maturity increases. Initially, the dashboard is often produced manually with gradual
automation as the process matures.

The dashboard would also typically include significant IRM investments, including the progress with
these initiatives and how they map to key risk exposures.

Content
Dashboard (Key Risk Categories)
ve
Dashboards would be produced for the key categories in the

i
risk universe, to enable more comprehensive risk oversight.
t
tra
The content would typically include the same information as
3rd Party Suppliers/ Outsourcing Applications &
Strategy Operations s
the enterprise dashboard but in more detail.

llu
Databases

I
Leading practices – process Leading practices – process Leading practices – process
Process
Information Risk Dashboard
Management preparedness factors as well as the design and performance of controls is used to
Information Risk Dashboard
Management preparedness factors as well as the design and performance of controls is used to
Information Risk Dashboard
Management preparedness factors as well as the design and performance of controls is used to Leading practices – process
Information Risk Dashboard
calculate residual risk which is the risk exposure considering inherent risk and mitigating factors . calculate residual risk which is the risk exposure considering inherent risk and mitigating factors . calculate residual risk which is the risk exposure considering inherent risk and mitigating factors . Management preparedness factors as well as the design and performance of controls is used to
Key Risks Risk Treatment Plans Key Risks Risk Treatment Plans Key Risks Risk Treatment Plans calculate residual risk which is the risk exposure considering inherent risk and mitigating factors .
High 25.0 High 25.0 High 25.0 Key Risks Risk Treatment Plans

A comprehensive monitoring process would underpin the

Re s idua l Re s idua l Re s idua l
ris k no . Illus tra tiv e re s idua l ris ks ris k no . Illus tra tiv e re s idua l ris ks ris k no . Illus tra tiv e re s idua l ris ks
1 1 1
Improve Monitor 1

2
Em e r g in g Ma r k e t s – Gr o wt h

Liq u id it y —Ca s h Ma n a g e m e n t
Improve Monitor 1

2
Em e r g in g Ma r k e t s – Gr o wt h

Liq u id it y —Ca s h Ma n a g e m e n t
Improve Monitor 1

2
Em e r g in g Ma r k e t s – Gr o wt h

Liq u id it y —Ca s h Ma n a g e m e n t
High 25.0
Re s idua l
20.0 20.0 20.0 ris k no . Illus tra tiv e re s idua l ris ks
(Impact x likelihood)

(Impact x likelihood)

(Impact x likelihood)

6 Controls 3 Ke y S u p p lie r De p e n d e n ce 6 Controls 3 Ke y S u p p lie r De p e n d e n ce 6 Controls 3 Ke y S u p p lie r De p e n d e n ce 1

3 3 3
Improve Monitor 1 Em e r g in g Ma r k e t s – Gr o wt h
Risk exposure

Risk exposure

Risk exposure

4 De b t – Co s t o f Ca p it a l 4 De b t – Co s t o f Ca p it a l 4 De b t – Co s t o f Ca p it a l
2 5 12 2 5 12 2 5 12 20.0 2 Liq u id it y —Ca s h Ma n a g e m e n t

(Impact x likelihood)
15.0 9
5 IT – S e cu r it y a n d P r iv a cy
15.0 9
5 IT – S e cu r it y a n d P r iv a cy
15.0 9
5 IT – S e cu r it y a n d P r iv a cy
6 Controls 3 Ke y S u p p lie r De p e n d e n ce
3
6 S o u r cin g - Glo b a l Co m p e t it io n 6 S o u r cin g - Glo b a l Co m p e t it io n 6 S o u r cin g - Glo b a l Co m p e t it io n

Risk exposure
4 De b t – Co s t o f Ca p it a l
4 4 4 5
7 IT - In fr a s t r u ct u r e Efficie n cy 7 IT - In fr a s t r u ct u r e Efficie n cy 7 IT - In fr a s t r u ct u r e Efficie n cy 2 12
7 7 7 5 IT – S e cu r it y a n d P r iv a cy
11 11 11 15.0 9
10.0 8
8 J o in t Ve n t u r e Re la t io n s h ip s
10.0 8
8 J o in t Ve n t u r e Re la t io n s h ip s
10.0 8
8 J o in t Ve n t u r e Re la t io n s h ip s 6 S o u r cin g - Glo b a l Co m p e t it io n
10 10 10 4
In e ffe ct iv e Fin a n cia l P la n n in g In e ffe ct iv e Fin a n cia l P la n n in g In e ffe ct iv e Fin a n cia l P la n n in g 7 IT - In fr a s t r u ct u r e Efficie n cy
9 9 9 7
a n d Fo r e ca s t in g a n d Fo r e ca s t in g a n d Fo r e ca s t in g 11
Monitor Accept 10
Co m p e t it iv e Re cr u it m e n t a n d Monitor Accept 10
Co m p e t it iv e Re cr u it m e n t a n d Monitor Accept 10
Co m p e t it iv e Re cr u it m e n t a n d 10.0 8
8 J o in t Ve n t u r e Re la t io n s h ip s

5.0 Re t e n t io n 5.0 Re t e n t io n 5.0 Re t e n t io n 10 In e ffe ct iv e Fin a n cia l P la n n in g

Risks Optimize Risks Optimize Risks Optimize 9

periodic (and over time continuous) update of the dashboards,

a n d Fo r e ca s t in g
Fo cu s a n d a lig n m e n t o f Fo cu s a n d a lig n m e n t o f Fo cu s a n d a lig n m e n t o f
11
Acq u is it io n s a n d In t e g r a t io n
11
Acq u is it io n s a n d In t e g r a t io n
11
Acq u is it io n s a n d In t e g r a t io n Monitor Accept 10
Co m p e t it iv e Re cr u it m e n t a n d
Ev o lv in g Re g u la t o r y Ch a n g e s – Ev o lv in g Re g u la t o r y Ch a n g e s – Ev o lv in g Re g u la t o r y Ch a n g e s – 5.0 Re t e n t io n
0.0 12
Un it e d S t a t e s Ma r k e t s 0.0 12
Un it e d S t a t e s Ma r k e t s 0.0 12
Un it e d S t a t e s Ma r k e t s Risks Optimize
Low Low Low 11
Fo cu s a n d a lig n m e n t o f
Acq u is it io n s a n d In t e g r a t io n
1.0 2.0 3.0 4.0 5.0 1.0 2.0 3.0 4.0 5.0 1.0 2.0 3.0 4.0 5.0
Ev o lv in g Re g u la t o r y Ch a n g e s –
Low Design and performance of controls High Low Design and performance of controls High Low Design and performance of controls High 0.0 12
Un it e d S t a t e s Ma r k e t s
Low
1.0 2.0 3.0 4.0 5.0
Low Design and performance of controls High

I( I( I(
Key Controls & Assurance Key Controls & Assurance Key Controls & Assurance I(

including:
Process
No.
Business Process Risk
No.
Risk
Name
Process-level Risk Corporate
Importance
Control
Activity
Former
ICF
Control Activities Control
Category
CAVECOD Control Method Process
No.
Business Process Risk
No.
Risk
Name
Process-level Risk Corporate
Importance
Control
Activity
Former
ICF
Control Activities Control
Category
CAVECOD Control Method Process
No.
Business Process Risk
No.
Risk
Name
Process-level Risk Corporate
Importance
Control
Activity
Former
ICF
Control Activities Control
Category
CAVECOD Control Method Key Controls & Assurance
Rating No. No. Rating No. No. Rating No. No.

4.0 Capacity and Production Planning 4.0 Capacity and Production Planning 4.0 Capacity and Production Planning Process Business Process Risk Risk Process-level Risk Corporate Control Former Control Activities Control CAVECOD Control Method
No. No. Name Importance Activity ICF Category
4.1 Capacity planning 4.1 Capacity planning 4.1 Capacity planning Rating No. No.
4.1.1 Long term capacity planning of 8 Make Risk that insufficient capacity threatens XYZ's Low 4.1.1.1 N/a Management prepares and updates the MLTP plan K C, A, V Management review 4.1.1 Long term capacity planning of 8 Make Risk that insufficient capacity threatens XYZ's Low 4.1.1.1 N/a Management prepares and updates the MLTP plan K C, A, V Management review 4.1.1 Long term capacity planning of 8 Make Risk that insufficient capacity threatens XYZ's Low 4.1.1.1 N/a Management prepares and updates the MLTP plan K C, A, V Management review
property, plant and equipment ability to produce goods at or below cost levels on a yearly basis. property, plant and equipment ability to produce goods at or below cost levels on a yearly basis. property, plant and equipment ability to produce goods at or below cost levels on a yearly basis. 4.0 Capacity and Production Planning
incurred by competitors. incurred by competitors. incurred by competitors.
W ithin this MLTP plan specific attention is paid to W ithin this MLTP plan specific attention is paid to W ithin this MLTP plan specific attention is paid to 4.1 Capacity planning
Suboptimal investment in fixed assets. investments/disinvestments of Suboptimal investment in fixed assets. investments/disinvestments of Suboptimal investment in fixed assets. investments/disinvestments of 4.1.1 Long term capacity planning of 8 Make Risk that insufficient capacity threatens XYZ's Low 4.1.1.1 N/a Management prepares and updates the MLTP plan K C, A, V Management review
property/plant/equipment. A study is included that property/plant/equipment. A study is included that property/plant/equipment. A study is included that property, plant and equipment ability to produce goods at or below cost levels on a yearly basis.
evaluates the current capacity use, the bottle evaluates the current capacity use, the bottle evaluates the current capacity use, the bottle incurred by competitors.
necks and the demand for investment per necks and the demand for investment per necks and the demand for investment per W ithin this MLTP plan specific attention is paid to
category. category. category. Suboptimal investment in fixed assets. investments/disinvestments of
property/plant/equipment. A study is included that
4.1.1.2 N/a As part of the yearly budget cycle a CAPEX plan is K C, A, V Policy & Procedure 4.1.1.2 N/a As part of the yearly budget cycle a CAPEX plan is K C, A, V Policy & Procedure 4.1.1.2 N/a As part of the yearly budget cycle a CAPEX plan is K C, A, V Policy & Procedure evaluates the current capacity use, the bottle
submitted. This CAPEX plan breaks dow n the submitted. This CAPEX plan breaks dow n the submitted. This CAPEX plan breaks dow n the necks and the demand for investment per
required investments in property/plant/equipment required investments in property/plant/equipment required investments in property/plant/equipment category.
to assure that the company can keep up w ith to assure that the company can keep up w ith to assure that the company can keep up w ith
market demand. market demand. market demand. 4.1.1.2 N/a As part of the yearly budget cycle a CAPEX plan is K C, A, V Policy & Procedure
submitted. This CAPEX plan breaks dow n the
4.1.1.3 N/a Frequent analysis is made to investigate if the R C, A, V, C Reconciliation 4.1.1.3 N/a Frequent analysis is made to investigate if the R C, A, V, C Reconciliation 4.1.1.3 N/a Frequent analysis is made to investigate if the R C, A, V, C Reconciliation required investments in property/plant/equipment
yearly rew arded CAPEX budget is being utilized yearly rew arded CAPEX budget is being utilized yearly rew arded CAPEX budget is being utilized to assure that the company can keep up w ith
according to approved CAPEX budget. according to approved CAPEX budget. according to approved CAPEX budget. market demand.

Deviations are investigated and reported to local Deviations are investigated and reported to local Deviations are investigated and reported to local 4.1.1.3 N/a Frequent analysis is made to investigate if the R C, A, V, C Reconciliation
management. management. management. yearly rew arded CAPEX budget is being utilized
according to approved CAPEX budget.
4.1.2 Maintenance of property, plant and 8 Make Risk that insufficiently planned maintenance, Medium 4.1.2.1 N/a A total overview of all plant and equipment is kept R C, A, E Policy & Procedure 4.1.2 Maintenance of property, plant and 8 Make Risk that insufficiently planned maintenance, Medium 4.1.2.1 N/a A total overview of all plant and equipment is kept R C, A, E Policy & Procedure 4.1.2 Maintenance of property, plant and 8 Make Risk that insufficiently planned maintenance, Medium 4.1.2.1 N/a A total overview of all plant and equipment is kept R C, A, E Policy & Procedure
equipment limited sources of maintenance w orkers and/or centrally. equipment limited sources of maintenance w orkers and/or centrally. equipment limited sources of maintenance w orkers and/or centrally. Deviations are investigated and reported to local
spare parts threaten XYZ's ability to produce spare parts threaten XYZ's ability to produce spare parts threaten XYZ's ability to produce

Tracking of vulnerabilities due to risk acceptance, non-

management.
quality products at competitive prices on a timely This (asset) register contains for maintenance at quality products at competitive prices on a timely This (asset) register contains for maintenance at quality products at competitive prices on a timely This (asset) register contains for maintenance at

•
basis. least the follow ing items: basis. least the follow ing items: basis. least the follow ing items: 4.1.2 Maintenance of property, plant and 8 Make Risk that insufficiently planned maintenance, Medium 4.1.2.1 N/a A total overview of all plant and equipment is kept R C, A, E Policy & Procedure
a) starting date of usage; a) starting date of usage; a) starting date of usage; equipment limited sources of maintenance w orkers and/or centrally.
b) maintenance requirements (hours/ pieces etc); b) maintenance requirements (hours/ pieces etc); b) maintenance requirements (hours/ pieces etc); spare parts threaten XYZ's ability to produce
c) maintenance indicators (meters etc); c) maintenance indicators (meters etc); c) maintenance indicators (meters etc); quality products at competitive prices on a timely This (asset) register contains for maintenance at
d) w hen last maintenance w as carried out, by w ho d) w hen last maintenance w as carried out, by w ho d) w hen last maintenance w as carried out, by w ho basis. least the follow ing items:
and w hat spare parts /products w ere used; and w hat spare parts /products w ere used; and w hat spare parts /products w ere used; a) starting date of usage;
e) w hen the next maintenance is expected to be e) w hen the next maintenance is expected to be e) w hen the next maintenance is expected to be b) maintenance requirements (hours/ pieces etc);
carried out and how many hours the machine w ill carried out and how many hours the machine w ill carried out and how many hours the machine w ill c) maintenance indicators (meters etc);
be out of business. be out of business. be out of business. d) w hen last maintenance w as carried out, by w ho
and w hat spare parts /products w ere used;
e) w hen the next maintenance is expected to be
carried out and how many hours the machine w ill
be out of business.

compliance and Deep Dive findings

Legal & Regulatory Infrastructure Programs & Change Mgmt Physical Environment • Tracking of the threat landscape, based on internal analysis
and external validation
Leading practices – process Leading practices – process Leading practices – process Leading practices – process
• Incorporation of external views (e.g. forums)
Information Risk Dashboard Information Risk Dashboard Information Risk Dashboard Information Risk Dashboard
Management preparedness factors as well as the design and performance of controls is used to Management preparedness factors as well as the design and performance of controls is used to Management preparedness factors as well as the design and performance of controls is used to Management preparedness factors as well as the design and performance of controls is used to
calculate residual risk which is the risk exposure considering inherent risk and mitigating factors . calculate residual risk which is the risk exposure considering inherent risk and mitigating factors . calculate residual risk which is the risk exposure considering inherent risk and mitigating factors . calculate residual risk which is the risk exposure considering inherent risk and mitigating factors .
Key Risks Risk Treatment Plans Key Risks Risk Treatment Plans Key Risks Risk Treatment Plans Key Risks Risk Treatment Plans
High 25.0 High 25.0 High 25.0 High 25.0
Re s idua l Re s idua l Re s idua l Re s idua l
ris k no . Illus tra tiv e re s idua l ris ks ris k no . Illus tra tiv e re s idua l ris ks ris k no . Illus tra tiv e re s idua l ris ks ris k no . Illus tra tiv e re s idua l ris ks
1 1 1 1
Improve Monitor 1

2
Em e r g in g Ma r k e t s – Gr o wt h

Liq u id it y —Ca s h Ma n a g e m e n t
Improve Monitor 1

2
Em e r g in g Ma r k e t s – Gr o wt h

Liq u id it y —Ca s h Ma n a g e m e n t
Improve Monitor 1

2
Em e r g in g Ma r k e t s – Gr o wt h

Liq u id it y —Ca s h Ma n a g e m e n t
Improve Monitor 1

2
Em e r g in g Ma r k e t s – Gr o wt h

Liq u id it y —Ca s h Ma n a g e m e n t
20.0 20.0 20.0 20.0
(Impact x likelihood)

(Impact x likelihood)

(Impact x likelihood)

(Impact x likelihood)
6 Controls 3 Ke y S u p p lie r De p e n d e n ce 6 Controls 3 Ke y S u p p lie r De p e n d e n ce 6 Controls 3 Ke y S u p p lie r De p e n d e n ce 6 Controls 3 Ke y S u p p lie r De p e n d e n ce
3 3 3 3
Risk exposure

Risk exposure

Risk exposure

Risk exposure

4 De b t – Co s t o f Ca p it a l 4 De b t – Co s t o f Ca p it a l 4 De b t – Co s t o f Ca p it a l 4 De b t – Co s t o f Ca p it a l
2 5 12 2 5 12 2 5 12 2 5 12
5 IT – S e cu r it y a n d P r iv a cy 5 IT – S e cu r it y a n d P r iv a cy 5 IT – S e cu r it y a n d P r iv a cy 5 IT – S e cu r it y a n d P r iv a cy
15.0 9 15.0 9 15.0 9 15.0 9
6 S o u r cin g - Glo b a l Co m p e t it io n 6 S o u r cin g - Glo b a l Co m p e t it io n 6 S o u r cin g - Glo b a l Co m p e t it io n 6 S o u r cin g - Glo b a l Co m p e t it io n
4 4 4 4
7 7 IT - In fr a s t r u ct u r e Efficie n cy 7 7 IT - In fr a s t r u ct u r e Efficie n cy 7 7 IT - In fr a s t r u ct u r e Efficie n cy 7 7 IT - In fr a s t r u ct u r e Efficie n cy
11 11 11 11

Any significant changes in risks and controls should be tracked

10.0 8
8 J o in t Ve n t u r e Re la t io n s h ip s
10.0 8
8 J o in t Ve n t u r e Re la t io n s h ip s
10.0 8
8 J o in t Ve n t u r e Re la t io n s h ip s
10.0 8
8 J o in t Ve n t u r e Re la t io n s h ip s
10 In e ffe ct iv e Fin a n cia l P la n n in g 10 In e ffe ct iv e Fin a n cia l P la n n in g 10 In e ffe ct iv e Fin a n cia l P la n n in g 10 In e ffe ct iv e Fin a n cia l P la n n in g
9 9 9 9
a n d Fo r e ca s t in g a n d Fo r e ca s t in g a n d Fo r e ca s t in g a n d Fo r e ca s t in g

Monitor Accept 10
Co m p e t it iv e Re cr u it m e n t a n d Monitor Accept 10
Co m p e t it iv e Re cr u it m e n t a n d Monitor Accept 10
Co m p e t it iv e Re cr u it m e n t a n d Monitor Accept 10
Co m p e t it iv e Re cr u it m e n t a n d
5.0 Re t e n t io n 5.0 Re t e n t io n 5.0 Re t e n t io n 5.0 Re t e n t io n
Risks Optimize Fo cu s a n d a lig n m e n t o f
Risks Optimize Fo cu s a n d a lig n m e n t o f
Risks Optimize Fo cu s a n d a lig n m e n t o f
Risks Optimize Fo cu s a n d a lig n m e n t o f
11 11 11 11
Acq u is it io n s a n d In t e g r a t io n Acq u is it io n s a n d In t e g r a t io n Acq u is it io n s a n d In t e g r a t io n Acq u is it io n s a n d In t e g r a t io n

Ev o lv in g Re g u la t o r y Ch a n g e s – Ev o lv in g Re g u la t o r y Ch a n g e s – Ev o lv in g Re g u la t o r y Ch a n g e s – Ev o lv in g Re g u la t o r y Ch a n g e s –

Low 0.0 12
Un it e d S t a t e s Ma r k e t s
Low 0.0 12
Un it e d S t a t e s Ma r k e t s
Low 0.0 12
Un it e d S t a t e s Ma r k e t s
Low 0.0 12
Un it e d S t a t e s Ma r k e t s

1.0 2.0 3.0 4.0 5.0 1.0 2.0 3.0 4.0 5.0 1.0 2.0 3.0 4.0 5.0 1.0 2.0 3.0 4.0 5.0
Low Design and performance of controls High Low Design and performance of controls High Low Design and performance of controls High Low Design and performance of controls High

I( I( I( I(

and monitored through these dashboards, and aggregated up to

Key Controls & Assurance Key Controls & Assurance Key Controls & Assurance Key Controls & Assurance
Process Business Process Risk Risk Process-level Risk Corporate Control Former Control Activities Control CAVECOD Control Method Process Business Process Risk Risk Process-level Risk Corporate Control Former Control Activities Control CAVECOD Control Method Process Business Process Risk Risk Process-level Risk Corporate Control Former Control Activities Control CAVECOD Control Method Process Business Process Risk Risk Process-level Risk Corporate Control Former Control Activities Control CAVECOD Control Method
No. No. Name Importance Activity ICF Category No. No. Name Importance Activity ICF Category No. No. Name Importance Activity ICF Category No. No. Name Importance Activity ICF Category
Rating No. No. Rating No. No. Rating No. No. Rating No. No.

4.0 Capacity and Production Planning 4.0 Capacity and Production Planning 4.0 Capacity and Production Planning 4.0 Capacity and Production Planning

4.1 Capacity planning 4.1 Capacity planning 4.1 Capacity planning 4.1 Capacity planning
4.1.1 Long term capacity planning of 8 Make Risk that insufficient capacity threatens XYZ's Low 4.1.1.1 N/a Management prepares and updates the MLTP plan K C, A, V Management review 4.1.1 Long term capacity planning of 8 Make Risk that insufficient capacity threatens XYZ's Low 4.1.1.1 N/a Management prepares and updates the MLTP plan K C, A, V Management review 4.1.1 Long term capacity planning of 8 Make Risk that insufficient capacity threatens XYZ's Low 4.1.1.1 N/a Management prepares and updates the MLTP plan K C, A, V Management review 4.1.1 Long term capacity planning of 8 Make Risk that insufficient capacity threatens XYZ's Low 4.1.1.1 N/a Management prepares and updates the MLTP plan K C, A, V Management review
property, plant and equipment ability to produce goods at or below cost levels on a yearly basis. property, plant and equipment ability to produce goods at or below cost levels on a yearly basis. property, plant and equipment ability to produce goods at or below cost levels on a yearly basis. property, plant and equipment ability to produce goods at or below cost levels on a yearly basis.
incurred by competitors. incurred by competitors. incurred by competitors. incurred by competitors.
W ithin this MLTP plan specific attention is paid to W ithin this MLTP plan specific attention is paid to W ithin this MLTP plan specific attention is paid to W ithin this MLTP plan specific attention is paid to
Suboptimal investment in fixed assets. investments/disinvestments of Suboptimal investment in fixed assets. investments/disinvestments of Suboptimal investment in fixed assets. investments/disinvestments of Suboptimal investment in fixed assets. investments/disinvestments of
property/plant/equipment. A study is included that property/plant/equipment. A study is included that property/plant/equipment. A study is included that property/plant/equipment. A study is included that
evaluates the current capacity use, the bottle evaluates the current capacity use, the bottle evaluates the current capacity use, the bottle evaluates the current capacity use, the bottle

the enterprise dashboard, if required, based on the agreed

necks and the demand for investment per necks and the demand for investment per necks and the demand for investment per necks and the demand for investment per
category. category. category. category.

4.1.1.2 N/a As part of the yearly budget cycle a CAPEX plan is K C, A, V Policy & Procedure 4.1.1.2 N/a As part of the yearly budget cycle a CAPEX plan is K C, A, V Policy & Procedure 4.1.1.2 N/a As part of the yearly budget cycle a CAPEX plan is K C, A, V Policy & Procedure 4.1.1.2 N/a As part of the yearly budget cycle a CAPEX plan is K C, A, V Policy & Procedure
submitted. This CAPEX plan breaks dow n the submitted. This CAPEX plan breaks dow n the submitted. This CAPEX plan breaks dow n the submitted. This CAPEX plan breaks dow n the
required investments in property/plant/equipment required investments in property/plant/equipment required investments in property/plant/equipment required investments in property/plant/equipment
to assure that the company can keep up w ith to assure that the company can keep up w ith to assure that the company can keep up w ith to assure that the company can keep up w ith
market demand. market demand. market demand. market demand.

4.1.1.3 N/a Frequent analysis is made to investigate if the R C, A, V, C Reconciliation 4.1.1.3 N/a Frequent analysis is made to investigate if the R C, A, V, C Reconciliation 4.1.1.3 N/a Frequent analysis is made to investigate if the R C, A, V, C Reconciliation 4.1.1.3 N/a Frequent analysis is made to investigate if the R C, A, V, C Reconciliation
yearly rew arded CAPEX budget is being utilized yearly rew arded CAPEX budget is being utilized yearly rew arded CAPEX budget is being utilized yearly rew arded CAPEX budget is being utilized
according to approved CAPEX budget. according to approved CAPEX budget. according to approved CAPEX budget. according to approved CAPEX budget.

Deviations are investigated and reported to local Deviations are investigated and reported to local Deviations are investigated and reported to local Deviations are investigated and reported to local
management. management. management. management.

4.1.2 Maintenance of property, plant and 8 Make Risk that insufficiently planned maintenance, Medium 4.1.2.1 N/a A total overview of all plant and equipment is kept R C, A, E Policy & Procedure 4.1.2 Maintenance of property, plant and 8 Make Risk that insufficiently planned maintenance, Medium 4.1.2.1 N/a A total overview of all plant and equipment is kept R C, A, E Policy & Procedure 4.1.2 Maintenance of property, plant and 8 Make Risk that insufficiently planned maintenance, Medium 4.1.2.1 N/a A total overview of all plant and equipment is kept R C, A, E Policy & Procedure 4.1.2 Maintenance of property, plant and 8 Make Risk that insufficiently planned maintenance, Medium 4.1.2.1 N/a A total overview of all plant and equipment is kept R C, A, E Policy & Procedure
equipment limited sources of maintenance w orkers and/or centrally. equipment limited sources of maintenance w orkers and/or centrally. equipment limited sources of maintenance w orkers and/or centrally. equipment limited sources of maintenance w orkers and/or centrally.
spare parts threaten XYZ's ability to produce spare parts threaten XYZ's ability to produce spare parts threaten XYZ's ability to produce spare parts threaten XYZ's ability to produce
quality products at competitive prices on a timely This (asset) register contains for maintenance at quality products at competitive prices on a timely This (asset) register contains for maintenance at quality products at competitive prices on a timely This (asset) register contains for maintenance at quality products at competitive prices on a timely This (asset) register contains for maintenance at
basis. least the follow ing items: basis. least the follow ing items: basis. least the follow ing items: basis. least the follow ing items:
a) starting date of usage; a) starting date of usage; a) starting date of usage; a) starting date of usage;
b) maintenance requirements (hours/ pieces etc); b) maintenance requirements (hours/ pieces etc); b) maintenance requirements (hours/ pieces etc); b) maintenance requirements (hours/ pieces etc);
c) maintenance indicators (meters etc); c) maintenance indicators (meters etc); c) maintenance indicators (meters etc); c) maintenance indicators (meters etc);

escalation thresholds.
d) w hen last maintenance w as carried out, by w ho d) w hen last maintenance w as carried out, by w ho d) w hen last maintenance w as carried out, by w ho d) w hen last maintenance w as carried out, by w ho
and w hat spare parts /products w ere used; and w hat spare parts /products w ere used; and w hat spare parts /products w ere used; and w hat spare parts /products w ere used;
e) w hen the next maintenance is expected to be e) w hen the next maintenance is expected to be e) w hen the next maintenance is expected to be e) w hen the next maintenance is expected to be
carried out and how many hours the machine w ill carried out and how many hours the machine w ill carried out and how many hours the machine w ill carried out and how many hours the machine w ill
be out of business. be out of business. be out of business. be out of business.

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 51
Work stream 10: ERM implementation plan
ERM implementation
► ERM implementation would be developed to take ERM forward in Company A. This will include all core planning
elements such as:
Work products for work stream ► Identification key implementation milestones, key dependencies.
10: ► Implementation timelines.
► Implementation protocols and structures (e.g., PMO set up, reporting lines, issue and risk management).
► Developing cost estimates, obtaining formal quotations and developing detailed implementation plans for the
D17. ERM implementation plan identified improvement recommendations is not part of the scope.

EY activities
ti ve
tra
► Develop ERM implementation plan.

u s ► Discuss and agree the work products with Project Sponsor.

Ill
Company A activities
► Project Sponsor to approve ERM rollout plan with inputs from other key executives.

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 52
Work stream 11: Closing awareness session
Ernst & Young activities
We will run one (1) ERM closing, awareness session to facilitate and raise awareness of ERM within Company A.
For this purpose, we will help prepare the presentations and session material.

Compan
yA
Group

Company A activities
► Project Coordinator to arrange participation of Core Team, Risk Champions and other relevant personnel.
Business Units ► Participants to attend the sessions.
► Project Coordinator to arrange location and facilities, at Company A premises or any other location.

Projects and Proceses

Work products for Work

stream 11

Workshop 6 :
Closing workshop

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 53
Knowledge transfer – Train the Trainer approach

Company A Project Team:

 Ownership and commitment.
 Knowledge of the business environment.
 Access to information.

Your involvement Benefits:

EY’s approach is to work  Focuses on areas of greatest strategic

Team Composition
opportunity to ensure the project is cost
with you, focusing on the effective and identifies ‘quick wins’.
maintenance of ownership by Skills
Trans  Ensures identification and dissemination of
fer
your team, transfer of leading thinking.
knowledge and experience  Ensures day to day operational performance
EY involvement is not compromised.
to your team and, ultimately,
to your management and
staff.

Knowledge transfer is the

Project Life Cycle
key to successful project
delivery, which will be
ensured by a well-defined EY Project Team:
on-job training approach.  Proven methodology – focused and effective
 Consulting expertise
 Experienced professionals with relevant
technical and industry skills

In order to achieve this, a joint teaming approach with Company A’s team throughout the project life cycle will be adopted to
confirm on-going knowledge transfer.

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 54
4 Indicative timeline
 This timeline is for illustration only and is dependent upon timeline from system vendor, hence, may change

Indicative timeline
Work
Steps by System integrator Steps by EY Dependency from previous workstep Workshop conducted by EY Workshop conducted by Vendor

Duration in weeks
stream Activities
# 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38

0 Project initiation
1 Current state assessment
2 Develop risk management framework ERM framework

2 Articulate Risk Appetite Risk appetite

2 Business requirement definition Dependences: ERM framework

3 RFP Preparation and its floating RFP

2 Develop risk management policy and procedures Policies and procedures

3 Proposal submission by the GRC partner Dependences: Proposal Submission

3 Vendor Evaluation and finalisation

Session for GRC partner on ERM framework so that
4 GRC partner can start working on functional design
GRC implementation (done by third party) Dependences: The project plan of GRC implementation will be provided by vendor

5 GRC design review Design review report

6 GRC solution review Solution review report

7 GRC tool train the trainer by the vendor

Identify Risks & Controls
Department 1 Dependences: Availability of system
8
Department 2
Department 3
Reporting dashboard requirements to be shared with
9
GRC partner
GRC partner to incorporate dashboard reporting
9
requirements in GRC
8 Risk Assessment / rating of risks using the tool
8 Prioritization of risk results Risk assessment results

10 ERM Implementation plan Implementation plan

11 Closing awareness session

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 56
 “We are excited about the topic of risk management and
your specific requirements on the subject. We have put
together a top-class team that will meet your requirements.“

Michael Green
Middle East Risk Leader

5 Our best team to assist you

The EY service delivery team
What’s different about how we empower our team?
People, process and enablement

1
Es t a b lis h P ro vid e t h e
fa ir fees rig h t t eam

Effe c t ive imple me nt at ion of t he Global Audit Me t hodology

An t icip at e P ro vid e d ee p
n ee d s an d d e live r
p erm it t ed s e rvices P la nning a nd
ris k
S t ra t e gy a nd
ris k Exe cut ion
Conclus ion
a nd re port ing
t ec h n ic al
exp ert is e Technical
expertise and
ide nt ifica t ion a s s e s s me nt

Main t ain o p en P ro vid e relevan t

no failures
Knowle dge a nd e na bling t e chnology
an d p ro a ct ive in d u s t ry
co m m u n icat ion Inde pe nde nce a nd obje ct ivit y kn o wle d g e

P ro vid e Un d e rs t an d
relevan t o u r clien t ’s
in s ig h t b u s in es s

Client expectation

2
Your go-to person Supported by
Leverage firm’s
net work Engagement Leader passionate Multi-disciplinary, integrated team
Audit
re lat ions hip
Bus ines s
ins ight s
P ermit t ed
s ervices
Collaborat ive about the audit and your business to execute the audit
work s t yle

Efficiency and
Empowered Client Service Leader
Cons ult at ion Effect ive Ris k ins ight s
communicat io ns
Technical
compet ence Account ing
Regulat ory no surprises
Audit development s
compliance

Independence and object ivit y

Committed to Responsible for
Bringing the full power of the global firm to Delivering and confirming achievement of

3
deliver audit and service quality our service commitments

The tr ue globa l or ga niza tion in the pr ofe s s ion

• The a bilit y t o s e rve globa l clie nt s wit h int e ns ive focus – ot he r s t ruct ure s
e ncoura ge giving priorit y t o clie nt s loca t e d in one ’s home count ry
• Cons is t e nt s t rat egy, me t hodology a nd me a s ure ment me t rics a cros s
bus ine s s unit s wit h a ccount a bility t o t he Erns t & Young globa l
orga niza t ion
Committe d to The e mpowe r e d
• Unifie d bus ine s s -unit le a de rs ope ra ting a s a t e a m re s pons ible t o a
the a udit bus ine s s s ingle Globa l Exe cut ive Boa rd GCSP
• Mult iple count rie s groupe d t oge the r a nd not locke d • Owne rs hip of ove ra ll e nga ge me nt

Insights and
int o count ry-pra ct ice or individua l pa rt ne rs hip conduct a nd re la t ions hip
gove rna nce s t ruct ures
• One point of cont a ct who commit s t o provide :
EY
• One globa l fe e
? KP MG
• Er nst & Young's be st pr ofe ssiona l a dvice a nd
How it benefits you conclusions to you on te chnica l ma tte r s a nd which

value add
P wC
Big 4 D&T
F ir m s

we will sta nd by unde r r e gula tor y scr utiny,

C o m m o n o r ig in s Div e r g in g d e s t in a t io n s

• Quicker response t o your most pressing issues including involving Er nst & Young's a ccounting,
a uditing a nd r e por ting spe cia lists, whe r e ne e de d.
• Business opport unit ie s met wit h mult idisciplin ary insight s • The a ut horit y t o a ppoint , re move a nd
across geographies re a lloca t e pe ople a cross t he globe
• Minimized risk of conduct in g business in mult iple cult ures • The a bilit y t o influe nce t he pe rforma nce
Erns t & Young ha s inve s t e d a ppra is a ls a nd re mune rat ion of a ll t he
US$1.2 billion in t he la s t t hre e
and jurisdict io ns
pa rt ne rs on t he e nga ge me nt
ye a rs t o grow our a udit pra ct ice • Efficient navigat ion of t he global regulat ory landscape
• Firm le a de rs hip holds GCSP re s pons ible
in e me rging ma rke t s * • Insight s leveraged from indust ry and t echnical peers a nd a ccount a ble for knowing a nd
working around t he world de live ring a udit a nd s e rvice qua lit y

Firm commitment
Expectation Confirmation
of audit and of
service quality service quality

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 58
 Our team brings the major programme, business risk knowledge required to
deliver the Company A ERM project successfully
Detailed team structure, roles and
Company A
responsibilities will be defined during
EMR Project Liaison
Oversight Team

the first stage of the project

ERM Committee
(Leaders)

EY Oversight Executive Team

ERM Project QA (Offsite) CVs are attached as in
Jonathan Blackmore – EMEIA Risk Leader Engagement Leader
Ahmed Taher the Appendix
Michael Green – MENA Risk Leader

EY - Project Directors EY - Project SMR Support

Ashfaque Ahmed
Satish Yadav - GRC
Project management
and review

EY
Project Management Team – on ground

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 59
6 EY selected credentials
Selected ERM experience
Identification and Assessment of Risks at various investment sectors level
► Analysis of historical results of various investment sectors
► Identification and Assessment of Risks at various investment sectors level
A major group in Automotive and ► Current State Assessment for risk management practices, Gap analysis and Design of ERM Framework
Logistic Sector in Saudi Arabia ► Linking ERM to Corporate Strategy and Business Planning
► Assistance in defining risk appetite at group level
► Preparation of ERM documentation and templates for knowledge transfer
► Assistance in software selection, assistance to software vendor in the implementation, Training and Roll out

Identification and Assessment of Risks at various investment sectors level

► Assisting in the development and roll out of the Investment Risk Management Framework
► Our work was carried out in following phases
A Major Family Business Group in ► Analysis of historical results of various investment sectors Current State Assessment for risk management practices, Gap
KSA analysis and Design of ERM Framework
► Linking ERM to Corporate Strategy and Business Planning
► Assistance in defining risk appetite at group level
► Preparation of ERM documentation and templates for knowledge transfer

EY developed enterprise risk management framework for the client and embedded risk management in business processes and in the
organization culture
One of the largest steel
► Corporate Governance Deployment at group level
► Risk Assessment and design of multi year Internal Audit plan
manufacturing company in KSA
► Enterprise Risk Management Framework development and assistance in implementation
► Risk Management Software Selection, Implementation, and Training
► Assistance in ERM implementation (On a co-sourcing in order to allow knowledge transfer to client team)
► Risk Management Monitoring

Formulation of Risk Management Strategy:

EY helped the Bank in formulating the capital management strategy that included the risk strategy of the Bank over the medium-term and
Large Bank in Saudi Arabia
approach to address pillar 2 issues of Basel II. Some of the key points covered as part of this project included systems and processes to identify
and measure risks, adequacy of risk policies and procedures, the Bank’s plans for risk mitigation and control, capital planning and allocation.

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 61
Selected ERM experience (cont’d)
Development of an ERM framework and a customized risk register, and delivery of a Corporate risk assessment:
Leading Saudi Power The overarching objective of the engagement was to first establish a comprehensive and effective ERM framework
and Water Utility Company at the Corporate level and then embed across the organization through an efficient roll-out to the different business
units enabling the organization to protect its assets and improve its planning and decision making process.

Development of Operational Risk Management Framework:

Leading Bank in Bahrain EY developed an operational risk management framework for the Bank in accordance with the standardized approach of Basel II. This process
included the identification of operational risk (Loss Event Type III) and development of key risk and control indicators.

Risk Management Assessment:

In accordance with the requirement of the Central Bank, EY assessed the ‘main risks’ arising from the activities undertaken by the bank for the
purpose of assessing the risk management capabilities of the bank in light of emerging international requirements and best practices. The team
Commercial Bank in Qatar
conducted a high level diagnostic review of the risk management processes covering the specific risks and aspects determined by the central
bank. This involved assessing the current state of risk management at the bank, identifying gaps and providing recommendations to align the
risk management function with leading practices.

Outsourced Internal Audit and Risk Assessment:

Insurance Company and EY provided outsourced internal audit and risk assessment services to an insurance company and commercial bank based in Qatar. The scope
Commercial Bank based of the project focused on conducting a company-wide risk assessment culminating in the production of an internal audit plan. The engagement
in Qatar involved implementing a ‘top-down’ approach to understand the company strategies, objectives and key initiatives, and an analysis of how
they create and/or are affected by risk which would identify potential audit coverage.

Formulation of Risk Management Strategy:

EY helped the Bank in formulating the capital management strategy that included the risk strategy of the Bank over the medium-term and
Large Bank in Saudi Arabia
approach to address pillar 2 issues of Basel II. Some of the key points covered as part of this project included systems and processes to identify
and measure risks, adequacy of risk policies and procedures, the Bank’s plans for risk mitigation and control, capital planning and allocation.

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 62
Selected ERM experience (cont’d)
Review of current state of ERM and design a future state ERM strategy/blueprint, development of Corporate Risk Appetite and Risk
Register, conduct an Executive Workshop to discuss and agree the Departments most important risks:
Leading Government of Dubai This large Department within the Government of Dubai appointed EY to assist in transforming its Enterprise Risk Management function as
Department part of a strategic initiative. EY assembled a team of team of subject matter experts from Europe, Australia and the Middle East to deliver real
value to this client.

Review of current state and design of a 3 year ERM strategy/ blueprint, development of a customized ERM framework and risk
register, and delivery of three risk assessments, at the Group level, Corporate functions and UAE operations:

Very large UAE Public Company This very large UAE Public Company with regional operations is witnessing exponential growth both organic
with overseas operations and through acquisitions. The Board mandated the Audit Committee to oversee the launch of an ERM initiative
and hire a CRO to develop, implement and embed an ERM framework across the organization including its international entities.

Conducting Risk Assessment Training/ Kick-off presentations with key stakeholders, functional heads and risk participants to
introduce them to the concept/value of Risk Management, the Risk Assessment Process and the importance of embedding it within
their day to day activities.
► Conducting Risk Assessment Training/ kick-off presentations with key stakeholders, functional heads and risk participants to introduce them
to the concept/ value of Risk Management, the Risk Assessment Process and the importance of embedding it within their day to day
UAE Holding Company activities
► Leading/Facilitating Risk Assessment Workshops to assist management in assessing and prioritizing their risks using
pre-defined risk impact/likelihood and control assessment criteria
► Developing Risk Profiles/Heat Maps and Corporate Risk Registers based on results of workshops
► Mapping Strategic/Corporate objectives to prioritized risks identified

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 63
Selected ERM experience (cont’d)
Setting up Project Management Office:
Acting as the program co-managers together with the Central Bank to facilitate the set up of a Risk Management Department and designing the
ERM program.
Qatar Central Bank This project involved setting up the RMD’s end state definition, developing an organization structure, suggesting changes in existing
departmental structure, roles, responsibilities, developing policies and procedures related to all key RMD responsibilities. It also entailed
performing a bank-wide risk assessment, drafting RFP requirements for the ERM system followed by assessing and selecting an ERM system.

Development of an ERM Framework:

The Leading Airline Company in Qatar engaged EY to assist in the development of an ERM Framework. The project involved the following:
► Defining the airlines’ risk management context
► Defining acceptable levels of risk
► Designing a practical and sustainable framework
Leading Airline in Qatar ► Developing the company- wide risk appetite
► Developing pragmatic practices & methodologies
► Identifying and assessing key risks
► Developing strategies for responding to the key top risks
► Developing a governance and reporting infrastructure

Review of market risk framework and validation of VaR:

EY assisted the Bank in reviewing the risk policies and risk management function for market risk. The objective was to identify the gaps vis-à-
Large Bank in Saudi Arabia vis the leading practice framework. The scope of the project also included a conceptual review of VaR and detailed validation of the VaR
process and computations. In a related but separate assignment, the Team also assisted the Bank in capital management and compliance with
general pillar 2 requirements covering all risk types.

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 64
Selected ERM experience (cont’d)
We understand the solution and have helped marquee organizations develop their ERM frame

This announcement appears as a matter of record only. This announcement appears as a matter of record only. This announcement appears as a matter of record only.
This announcement appears as a matter of record only. This announcement appears as a matter of record only.

One of the largest wholesale One of the prominent One of the largest telecom Water Electricity Authority Spanish Multinational
telecom operators in India telecom players based operators in UAE Corporation – Energy and
in UAE in Ukraine Telecommunication

Enterprise Risk Management Risk Based Internal Audit plan Strategic Risk Assessment and Enterprise Risk Management Risk Management Implementation
Management

This announcement appears as a matter of record only.

This announcement appears as a matter of record only.
This announcement appears as a matter of record only. This announcement appears as a matter of record only.
This announcement appears as a matter of record only.

One of the largest Indian A large vehicle A large power and utilities Petroleum company in Petroleum development
conglomerate in Oil and Gas manufacturing company in company in Saudi Arabia Bahrain company in Oman
Saudi Arabia

Enterprise Risk Management

Enterprise Risk Management Enterprise Risk Management Enterprise Risk Management Risk Management Implementation

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 65
Selected ERM experience (cont’d)
We understand the solution and have helped marquee organizations develop their ERM frame

This announcement appears as a matter of record only. This announcement appears as a matter of record only. This announcement appears as a matter of record only. This announcement appears as a matter of record only. This announcement appears as a matter of record only.

One of the largest telecom One of the largest telecom One of the largest telecom One of the largest telecom One of the largest telecom
operators operators operators operators operators
in Saudi Arabia in Saudi Arabia in UAE in India in Oman

Enterprise Risk Management Enterprise Risk Management Enterprise Risk Management Enterprise Risk Management Enterprise Risk Management

This announcement appears as a matter of record only. This announcement appears as a matter of record only. This announcement appears as a matter of record only. This announcement appears as a matter of record only.
This announcement appears as a matter of record only.

One of the large global One of the largest telecom One of the prominent One of the largest telecom Telecom retail and
telecom groups based out of operators telecom operators operators distribution company
Luxembourg in Saudi Arabia in Kuwait in Republic of China in Saudi Arabia

Enterprise Risk Management Strategic Risk Assessment and Enterprise Risk Management Enterprise Risk Management
Strategic Risk Assessment and
Management
Management

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 66
Assistance in GRC Tool Evaluation and GRC implementation: Leader in Cosmetic
Sector
Client drivers Value delivered / Key quotes
EY was engaged to assist the company with its ERM framework and its GRC Benefits achieved:
technology enablement approach. The key objectives were to: ► Shared good market practices, in terms of GRC tool selection and
1. Provide a first risk cartography at the group level and then roll out risk implementations phases
cartography at the business and entity levels
2. Improve visibility and integration within risk functions (internal audit,
► Efficient implementation phase thanks to experienced consultants of the
internal control, IT risk management) by linking risks and controls selected GRC tool
frameworks, and better sharing of information. ► Support client to define a shared risk framework and strengthen an
3. Select and implement a GRC tool of the market integrated GRC approach

Our approach
► ERM framework:
Key deliverables/graphics
► Risk cartography
► Risk methodology and governance, aligned with existing control Tenders analysis synthesis
framework
► Tool selection phase:
► Understand , analyze and formalize key requirements for internal audit,
internal control and risk management
► Identify key players in GRC tools market
► Support the RFP phase by providing tenders analysis grids,
demonstration scripts, and contracts critical reviews
► Implementation phase:
► Facilitate business detailed requirements workshops and share market
good practices
► Design a share risk framework between audit and internal control
► Support the application testing phase (design test cases, participate to
the tests) and change management

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 67
Assistance in GRC Tool Evaluation and GRC implementation: Leader in chemicals
Client drivers Value delivered / Key quotes
As audit management advisor, EY was engaged to assist the company with its Benefits achieved:
GRC framework and its GRC technology enablement approach. The key ► Our leading position on the market of Internal Audit , Internal Control and
objectives were to: Risk Management allows us to have a good view of best market practices
• Rationalize first audit, control and then risk frameworks
• Formalize, standardize and sustain in a single tool
► Our knowledge of GRC software market , and our ability to identify the
• Spend less time consolidating data (self- evaluation questionnaire ) and more strengths and weaknesses of key players and the key success factors
time analyzing related to the selection and implementation of such a solution ; Our
consultants are certified on several solutions , including the selected tool
The Company has sought upstream of it a consultancy expert GRC tools and in the case of this project
able to attend independently in phases tender for tool selection and ► Our independence towards vendors, thereby preserving the best interests
implementation of the solution. of the client
► Our consulting expertise assessed on the alignment between these
Our approach functions (RCSA)

► Tool selection phase:

► Understand , analyze and formalize key requirements for internal audit, Key deliverables/graphics
internal control and risk management
► Identify key players in GRC tools market
Tenders analysis synthesis
► Support the RFP phase by providing tenders analysis grids,
Risk reporting
demonstration scripts, and contracts critical reviews Risk assessment
► Implementation phase:
► Facilitate business detailed requirements workshops and share market
good practices
► Design a share risk framework between audit and internal control
► Support the application testing phase (design test cases, participate to
the tests) and change management
►Business case to extend to Regulation compliance and Business

Continuity management

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 68
Assistance in GRC Tool Evaluation and GRC implementation: India’s largest private
sector company (Fortune 500 company)
Client drivers Value delivered / Key quotes
The Fortune 500 company which has diversified business varying from Benefits achieved:
petrochemical, oil exploration, textile, retail and telecom operations. One of the ► Increase the effectiveness and efficiency of risk management and
major initiative of the client was to automate its risk and control and leverage assurance processes
SAP GRC for the same. Ernst and Young has been involved in implementation
of all SAP GRC v10.1 modules such as Access Control, Process Control, Risk
► Common risk register unifies the management of strategic, financial,
Management and Audit Management (co-development along with SAP). operational and compliance risks.
The key challenges faced by client were: ► Aligns and integrates the management of risks and controls across the
• Design & Development of SAP Automated internal controls in PC 10.1 enterprise (strategic planning and business processes).
considering the business scenarios at Reliance ► Drives implementation of effective risk responses and mitigation activities
• Integration of SAP GRC RM and PC and AC and PC modules ► Provides an effective risk reporting and escalation workflow.
• Co-development of Audit Management module along with SAP due to its
limitation

Our approach Key deliverables/graphics

EY divided the work in implementation phases as: Tools functional requirements, Tenders analysis synthesis
• Design
• Requirements Gathering. Risk Management and Process Control as per
client requirements
• Functional Design, Processes, Risks, Controls and Evidences matrix
creation
• Technical Design, Integration with sharepoint and different mobile
platforms
• Build and test
• Solution design and implementation, creation of customized dashboards
and Test the solution and conduct training sessions for the client

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 69
Assistance in GRC Tool Evaluation : a state in Switzerland
Client drivers Value delivered / Key quotes
One of the state of Switzerland was evaluating a software for Internal Control Benefits achieved:
and/or Risk Management. Its organization is based on a Grand Council ► Shared good market practices and toolkits, in terms of GRC and BPM
(representing the legislative branch), and a State Council (executive branch). tools selection and implementations phases
The latter is composed of 7 departments on which the Internal Control
Departments are based. The key objectives were to
► A tool of Internal Control, enabling to standardize the approaches of the 7
1. Improve visibility and integration within risk functions (internal audit, departments
internal control, risk management) by linking risks and controls
frameworks, and better sharing of information between group functions and
local stakeholders.
2. Select and implement a GRC tool of the market to improve visibility of risk
management functions/processes

Our approach Key deliverables/graphics

Following activities were performed : Tenders analysis synthesis, demonstration scripts, …
► Understand , analyze and formalize key requirements for internal audit,
internal control , risk management and process modeling.
► Presentation of the GRC market and its trends for territorial authorities
► Execution and validation of the specifications
► Preparation of the call for tender
► Help in the selection of a GRC tool

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 70
7 Assumptions
Key assumptions
► Company A will designate a management level individual who will act as ERM project ► EY will co-develop risk appetite along with Company A management, however
sponsor and another individual as Project Coordinator. ERM Project Coordinator will be providing inputs in the risk appetite to EY is Company A management responsibility.
responsible for arranging our meetings with other Company A executives and managers ► Assessment of the individual performance of Company A employees (such as skills or
as required, with guidance from competencies) is not part of the scope of this project
the Sponsor. These roles will also receive drafts from us and will be responsible for
obtaining management feedback on these and for forwarding the feedback and
► Assessing organization’s readiness to implement the proposed high-level improvement
comments to us opportunities is not part of the scope of this project
► All working papers and draft reports from this project will be in English only
► Company A management will provide full support during the project by confirming the
meeting schedule and ensuring attendance and participation
► Ernst & Young will have access to, and full cooperation of, the Company A personnel as
required
► Company A will be primary responsible will for weekly review meetings to ensure
effective addressing of any issues with regards to schedules or availability of data or
► Ernst & Young is not engaged to provide assurance services and we are not expected personnel. Ernst & Young is not responsible for delays caused by Company A and/or its
and will not issue an opinion on the financial statements personnel not being able to timely meet. In case of delays all parties will make efforts to
or any of its components or any kind of opinion stick to the overall duration of the project. For any additional work above and beyond
► Company A will make project decisions in a timely manner and will ensure the relevant the scope of work mentioned in this document, an additional time and effort will be
people are available to review work products, answer queries, provide feedback etc on a mutually agreed between both the parties.
timely basis ► The project duration is tentative and would be finalized in consultation with Company A
► Once a work product is signed off, any changes to the work product once the project is awarded to us
will be considered outside the scope of this engagement ► All work performed will be at Company A Saudi Arabia or Ernst & Young offices.
► Changes in the scope of this assignment, not represented in this engagement, will have No visits to other countries are assumed
to be considered as outside scope of the engagement ► Company A will provide the team with relevant documents and artifacts that apply to
► Risks will be identified at inherent level and will provide snapshot of risks at particular Company A in relation to aspects such as business and operations plans, processes,
time, which is required to be updated/revisited by Company A ERM department organizational structures and manpower levels
► Company A and its management is ultimate responsible for identification of risks and
► Ernst & Young will not develop departmental objectives or Company A’s objectives as
controls. Due to the nature ERM exercise and involvement of judgment, there is a part of the scope
likelihood that all risks may not be identified during the project ► Carrying out process level or internal audit risk assessment and preparing risk based
audit plan is not part of the scope
► EY scope is to facilitate the workshop and do validation
of the risks in the meeting based on discussion ► The coordination and management of meeting and workshop including
the cost is responsibility of Company A
► EY will not develop detailed risk remedial strategies for risks
► For control effectiveness, no testing will be done by EY

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 72
Key assumptions (cont’d.)
► The responsibility of vendor selection, software selection and implementation is the ► When assisting the client, EY will not
responsibility of Company A o As part of our proposal EY will not participate in negotiation with the GRC vendor
► Ernst & Young is not responsible for configuration, assessment of current IT or network o EY will not sign any documents on behalf of the client or be responsible for any
infrastructure. Assessment of requirements of any change contract signed by the client with the vendor
in the current infrastructure is not part of the scope
o Selection of any specific technology software or hardware is Company A’s
► The software vendor is responsible for successful implementation
responsible. EY will provide our vendor evaluation report
of the software
o Provide any assurance on Company A’s compliance to regulatory requirements
► EY shall be reporting all findings to client and client would be making the relevant
decisions on next steps/implementation of our findings o Determine which, if any, recommendations should be implemented
► Our scope of work does not include collecting/providing any market and technical data, o Act on behalf of management in reporting to the Board of Directors, or Audit
or relevant functional and legal information Committee.
► We will not identify, address or correct any errors or defects in your computer systems, o Authorize, execute or consummate transactions or otherwise exercise authority on
other devices or components thereof (“Systems”), whether or not due to imprecise or behalf of the Company.
ambiguous entry, storage, interpretation or processing or reporting of data. We will not o Perform routine activities in connection with the Company’s operating or production
be responsible for any defect or problem arising out of or related to data processing in
processes
any Systems.
o Prepare source documents on transactions
► We will evaluate a maximum of five proposals received against RFP for GRC product
and implementation partner selection o Have custody of assets
► EY will mange the GRC training. The GRC tool training would be conducted by the o Act in any capacity equivalent to a member of management or an employee
GRC implementation partner. EY would provide the required guidance to the GRC o Perform mitigation or remediation exercise related the user access rights
implementation partner and the Company A team during different stages of the training
management
► Company A management to dedicate minimum one representative from respective
o Developing cost estimates, obtaining formal quotations and developing detailed
department which are part of the scope of work during the ERM implementation. EY
would perform the solution review. However EY solution review should not be implementation plans for the identified improvement recommendations
considered as a substitute for the testing to be performed by the Company A, team. o Perform any project management and monitoring activities on client’s behalf during
Company A core team would be responsible for the necessary testing and its GRC implementation done by third party
confirmation to the GRC implementation partner
► GRC tool is only restricted to ERM and does not include compliance and control
assessment
► GRC tool training and related certification would be provided by the GRC
implementation partner

Confidential — All Rights Reserved — Ernst & Young 2014 The Company A– Technical Proposal 73
Contact:

Ahmed Taher
Senior Principal
Ernst & Young, Riyadh Office
PO Box 2732, Saudi Arabia
Phone: +966 1 215 9438
Fax:+966 1 273 4730
Email: ahmed.taher@sa.ey.com

Contact
Ashfaque Ahmed
Director
Ernst & Young, Jeddah Office
PO Box 1994, Saudi Arabia
Phone: +966 2 221 8527
Fax:+966 2 221 8575
Email: ashfaque.ahmed@sa.ey.com
EY | Assurance | Tax | Transactions | Advisory

About EY

EY is a global leader in assurance, tax, transaction and advisory

services. The insights and quality services we deliver help build trust
and confidence
in the capital markets and in economies the world over. We develop
outstanding leaders who team to deliver on our promises to all of our
stakeholders. In so doing, we play a critical role in building a better
working world for our people, for our clients and for our
communities.

EY refers to the global organization, and may refer to one or more, of

the member firms of Ernst & Young Global Limited, each of which is
a separate legal entity. Ernst & Young Global Limited, a UK company
limited by guarantee, does not provide services to clients. For more
information about our organization, please visit ey.com.

The MENA practice of EY has been operating in the region since

1923. For over 90 years, we have evolved to meet the legal and
commercial developments of the region. Across MENA, we have over
4,200 people united across 18 offices and 13 Arab countries, sharing
the same values and an unwavering commitment to quality.

© 2014 Ernst & Young.

All rights reserved.