© 2015 CEB. All rights reserved Version: X.X Last modified: [insert date format: DD Month YYYY]

CONFIDENTIAL OR CONFIDENTIAL-RESTRICTED [Delete as appropriate]

CEB Virtual Event Hosted by the Compliance and Ethics Leadership Council 10 December 2015 12:30-1:30 EST

Accelerating the Third-Party Due Diligence Process

An In-Depth Look at TE Connectivity's Approach

1. What does the average third-party risk managementprocess look like?

2. Where are there holes or stall points in that process?3. How are leading companies looking to solve for those

stall points?4. What can we learn from one tech company that has

worked hard to manage the due diligence processbetter?

5. What resources does CELC have to support us here?

What We Will Discuss Today

2

To submit a question or thought in writing: Log onto the web platform at http://ceb-event.adobeconnect.com/celc121015/ and include your question or comment in the box entitled Submit a Question.

To join the discussion or to submit a question via the phone line: Press *1 to be included in the phone queue. (Press *2 to remove your name from the queue.)

Have a question or comment after today’s webinar? E-mail us at kuglerj@cebglobal.com with any feedback, questions, comments, etc.

A Few Quick Housekeeping Matters

3

Roadmap For Today’s Conversation

Managing Due Diligence: TE’s Practice At a

Glance

Lessons Learned From A Peer: An In-Depth Look at TE’s Approach

Q&A and Feedback Session

Third-Party Risk Management: A

Brief Look at The Data

4

Brian Risser

Third Party Compliance Manager

TE Connectivity

Prior positions include:

Manager of Financial Policies and Controls (TE Connectivity)

Manager of Financial Integrations (TE Connectivity)

Senior Financial Accountant (Armstrong World Industries)

Our Panelist at a Glance

5

Roadmap For Today’s Conversation

Managing Due Diligence: TE’s Practice At a

Glance

Lessons Learned From A Peer: An In-Depth Look at TE’s Approach

Q&A and Feedback Session

Third-Party Risk Management: A

Brief Look at The Data

6

© 2015 CEB. All rights reserved. CELC4277615SYN

THE PROCESS WE’VE BUILTCompliance’s Standard Third-Party Risk Management Process

Source: CEB 2015 Third-Party Risk Diagnostic. Note: This is an abridged version of the full process map found in CEB’s Third-Party Resource Center.

of compliance executives rate their third-party programs as effective at creating standards, requirements, and controls to manage third-party risk. 66%

Recertify or Terminate Relationship

Segment and Conduct Due

Diligence

Contract, Remediate Risk, and Certify

Monitor and Audit

Review Business

Justification Form

1 5432

CEB Process SupportCEB offers a suite of resources to support members who are in the process of building or refining their third-party risk management process, including process maps, implementation guidance, and member-donated tools and templates.

7

 8© 2015 CEB. All rights reserved. CELC4277615SYN

THE HOLE IN OUR PROCESSBusiness Partner Process Avoidance Undermines Risk Reduction

43% of compliance executives report that internal partners avoid the compliance review process at least some of the time.

Source: CEB 2015 Third-Party Risk Diagnostic.

Business sponsors avoid the compliance review process…

...minimizing the ability of existing

procedures to reduce risk.

Review Business

Justification Form

Segment and Conduct Due

Diligence

Contract, Remediate Risk, and Certify

Monitor and Audit

Recertify or Terminate

Relationship

9© 2015 CEB. All rights reserved. CELC4277615SYN

OPERATIONAL TAXES WEIGH HEAVILYBusiness Partner’s Mental Model Including Estimated Cost of Each Activity, Per Year

Costs

n = 55–82.Source: CEB 2015 Third-Party Risk Diagnostic.a 18,000 = 60-day median cycle time x 300 estimated number of new third parties receiving due diligence in a given year.b $525,000 = Basic Due Diligence ($250 estimated charge of basic due diligence per third party x 300 estimated number of third parties that receive due diligence) + Enhanced Due Diligence ($15,000 estimated charge for enhanced due diligence x 30 estimated number of third parties that receive enhanced due diligence).

c Percentage of Procurement, Internal Audit, and Information Security executives who agree or disagree with the statement, “My organization’s compliance program effectively supports third-party compliance risk management.”

18,000 Business Days Spent Waiting for Third-Party Approvala

$525,000Annual Due Diligence Spendb

Limited Perceived Risk Reduction Only 22% of functional partners agree that Compliance is effective in reducing third-party risk.c

Benefits

 10© 2015 CEB. All rights reserved. CELC4277615SYN

Monitor and Audit

Recertify or Terminate Relationship

Review Business

Justification Form

Segment and Conduct Due

Diligence

Contract, Remediate Risk, and Certify

Select Third Party

Identify Business

Need

Source: CEB analysis.

BREAKING THE CYCLEOpportunities for Improvement in Compliance’s Third-Party Risk Management Process

Opportunity 1: Help the business make risk-informed decisions.

Opportunity 2: Rationalize unnecessary process complexity.

Opportunity 3: Remove barriers to third-party compliance.

1

2 3

Business-Owned

Compliance-Owned

 11© 2015 CEB. All rights reserved. CELC4277615SYN

Help the Business Make Risk-Informed Decisions

Rationalize Unnecessary Process Complexity

Remove Barriers to Third-Party Compliance

Strategic Decision Support

Integrated Risk Framework

Partner ComplianceCompetency

Due Diligence Process Effi ciency

Supplier Mentoring Program

Monitoring Effi ciency

Roadmap For Today’s Conversation

Managing Due Diligence: TE’s Practice At a

Glance

Lessons Learned From A Peer: An In-Depth Look at TE’s Approach

Q&A and Feedback Session

Third-Party Risk Management: A

Brief Look at The Data

 12

© 2015 CEB. All rights reserved. CELC2606115SYN

 13

OVERVIEW

TE Connectivity accelerates the third-party onboarding process by identifying the specific tasks that become stall points within the due diligence process and sending task owners targeted support designed to accelerate completion of the task. In addition, Compliance sends biweekly progress reports to all due diligence stakeholders, creating process transparency that enables meaningful accountability.

SOLUTION HIGHLIGHTS

Identify Process Stall Points: Compare the average length of each task to the desired length to identify those that are contributing to process delay and build support resources tailored to those particular tasks.

Target Support at Process Stall Points for Easier Completion: Send key stakeholders support that targets the root causes of task delay when tasks have not been completed in the appropriate time frame.

Build Accountability for Completing Tasks Through Cross-Stakeholder Visibility: Circulate periodic progress reports to all due diligence stakeholders that outline the current phase and owner of relevant due diligence processes, building accountability for task completion.

COMPANY SNAPSHOT

TE Connectivity Ltd.

Industry: High Technology TE Connectivity designs and manufactures connectivity and sensor solutions for a variety of industries including automotive, industrial equipment, data communication systems, aerospace, defense, oil and gas, consumer electronics, energy, and subsea communications. The company serves customers in more than 150 countries.

2014 Sales: US$13.9 Billion

Employees: 80,000

DUE DILIGENCE PROCESS EFFICIENCY

 14

© 2015 CEB. All rights reserved. CELC2606115SYN

GUIDING EMPLOYEES THROUGH THE PROCESS

TE Connectivity’s Due Diligence Process Completion TimeAverage Completion Time Across All New Third Parties

TE Connectivity’s due diligence completion time was three times longer than desired, causing significant delays in third-party onboarding.

“It was clear that our process was taking too long. So, we needed to

understand where the major delays were and how we could make this process easier for our stakeholders.”

Brian RisserBusiness Partner Program ManagerTE Connectivity

Employee Pain Points with Due Diligence Process

Source: TE Connectivity Ltd.; CEB analysis.

Source: TE Connectivity Ltd.; CEB analysis.

Due Diligence Process Completion Time

Desired Completion Time

Actual Completion Time = Three Times Longer

“I got busy and forgot to complete my task.”

“This task is complex and I’m not sure how to complete it.”

“It’s not a big deal if I get to my task next week.”

Automated Overdue RemindersSend support-oriented reminders to stakeholders when they do not complete tasks within the desired time period.

Cross-Stakeholder Progress ReportsCreate visibility in the due diligence process so that stakeholders can see when their counterparts are causing delays.

 15

© 2015 CEB. All rights reserved. CELC2606115SYN

IDENTIFYING SPEED BUMPS IN THE PROCESS

TE Connectivity’s Due Diligence Process MapIdentifying Most Problematic Tasks

TE Connectivity mapped its due diligence process and identified the tasks that most commonly cause delays.

■ To eliminate these delays,Compliance embeds processsupport in automated remindere-mails to help stakeholderscomplete tasks in a timelyfashion.

Bu

sin

ess

Sp

on

sor

(In

tern

al

Em

plo

yee)

Bu

sin

ess

Par

tner

(T

hir

d P

arty

)L

egal

an

d

Co

mp

lian

ceD

ue

Dili

gen

ce

Ven

do

r

Source: TE Connectivity Ltd.; CEB analysis.

Exceeds Desired Completion Time

Within Desired Completion Time

Complete business justification form and send Business Partner Questionnaire (BPQ) invite

Review due diligence and approve/disapprove business partner

Close case and finalize business partner status

Provide due diligence results

Complete and send BPQ

Calculate risk rating automatically

Approve due diligence type based on risk rating

Set up business relationship and contract

1

6

2

7

3

84

5

Farthest from Benchmark

TE Connectivity measured each task’s average completion rate against the vendor’s best practice completion rates.

 16

© 2015 CEB. All rights reserved. CELC2606115SYN

SUPPORTING THROUGH SPEED BUMPS

Sample Automated Reminder E-MailAddressing a Delay in Completing Business Justification Form

Compliance sends task owners support-oriented reminder e-mails once tasks have exceeded the desired completion time.

■ TE Connectivity uses remindersthat are tailored to each task sothat employees receive only thesupport they need to completethe task at hand.

“No matter how much upfront training we did, the business had to

actually work through the process to understand where they would run into pain points and need assistance.”

Brian RisserBusiness Partner Program ManagerTE Connectivity

Source: TE Connectivity Ltd.; CEB analysis.

page 24 Information is TE Confidential & ProprietaryDo Not Reproduce or Distribute

4. Invite Business partner to complete the BusinessPartner Questionnaire

Go to the “Due Diligence” tab in the profile and click on the “Invite” button in theright corner. It will bring up the “Due Diligence Intake Form Invitation”. The information should be pre-populated with the “Main Point of Contact” information from Step #2.

• Choose the Language from the drop down box• Click “Current” if the Partner is an existing business partner; OR click

“Prospective” if the Partner is a new business partner for TE• Click “Send Invitation”.

4

Subject: Reminder: Task Overdue - E-Mail Message

From: Stephanie Roosevelt <sroosevelt@te.com>

To: John Doe

Dear John,

Our records indicate that you have not yet completed the Business Justification Form for a third party with whom you would like to conduct business. This e-mail is meant to provide you with the right support to complete the form properly.

For guidance on completing this form, please refer to our Business Partner Management Program SharePoint Site or our presentation on TE Connectivity’s Due Diligence Process. If you should still have questions or concerns, contact me using my information below.

Stephanie RooseveltCompliance Officersroosevelt@te.com(717) 555-1234

Reply Reply All Forward DeleteFlag Move

X—+Resources

• Business Partner Management Program (BPM) SharePoint SiteLinks to more information regarding your responsibilities:

– Policies & Procedures – Business Partner Management Program – An Accountability Handbook – Training Opportunities and Video Tutorials– FAQs– Contact Details for Questions

 17

© 2015 CEB. All rights reserved. CELC2606115SYN

VISIBILITY CREATES ACCOUNTABILITY

Biweekly Progress Reports on Due Diligence ProcessIllustrative

Biweekly progress reports to due diligence stakeholders create process visibility and accountability for task completion.

■ Stakeholders can view thecurrent due diligence phaseand owner, and follow up withother stakeholders who aren’tcompleting their tasks.

■ Stakeholders are more likelyto complete their tasks in atimely manner knowing thatothers have visibility into theirprogress.

Source: TE Connectivity Ltd.; CEB analysis.

2/2/15Dear John,Below is your bi-weekly report on the progress of the third parties in which you’re involved as they work through our due diligence process. Please notify the compliance program or any related stakeholders if you have any questions or concerns.

Company Name

Date Opened

Current PhaseCurrent Phase Owner

RegionDate of Process Reset

Days Until Process Reset

Martin Industrial

11/13/14

Complete business

justification form

You NA 2/13/15 11

Quaranta Enterprises

12/20/14

Complete and send business

partner questionnaire

Quaranta Enterprises

EMEA 3/20/15 46

Process Reset

If the overall process takes longer than the predetermined deadline, stakeholders must start the process over from the beginning.

Social Pressure

All stakeholders involved in a particular due diligence process—and business unit leadership—can see which stakeholder is causing delays.

Roadmap For Today’s Conversation

Managing Due Diligence: TE’s Practice At a

Glance

Lessons Learned From A Peer: An In-Depth Look at TE’s Approach

Q&A and Feedback Session

Third-Party Risk Management: A

Brief Look at The Data

18

Key Components Business Partner Management (BPM) Program

• Program training materials:• BPM handbook with “in-scope” definitions• Securimate on-boarding process workflows• User trainings

• Regular meetings with accounting and finance to workon integrating internal controls

• Cross-referencing Securimate Profiles with SAPnumbers

• Regular updates and meetings with Stakeholders

19

Challenges Business Partner Management (BPM) Program – Internal Controls

• Process:• Process design and change is detailed work• Process change is hard for organizations and people• Overall on-boarding takes too long

• People• Business Sponsors and Legal Counsels not completing their

tasks• Accounting and Finance people not making this a priority

• System integration Securimate and SAP

20

Implementation Business Partner Management (BPM) Program

Evolution not Revolution

• All new customers and vendors in Securimate - October 2013• Pilot countries legacy customers and vendors - December 2013• Financial controls in supplier set-up process - March 2014• Sponsor and legal counsel action reports - October 2014• Gating and profile suspension - March 2015• First SAP shut-offs – March 2015• Automated SAP shut-offs – September 2015

21

Implementation The Importance of Consensus

• Board and Executive Management• Regular updates on BPM program and the status of Internal Controls

• Business Segments• Regular meetings – Program updates and proposals for new

processes/program evolution• User feedback

• Trainings, reporting and other interaction with support team• Support team feedback

• Experience with users and common support issues• Accounting/Finance and IT

• Outreach and process/implementation assistance

22

Securimate On-Boarding Process and Metrics

23

Business Partner Management Program - Workflow

Information is TE Confidential & Proprietary Do Not Reproduce or Distribute

Metrics/ Gating Process

• Individual Sponsor Action Reports• Training

Business Partner Questionnaire: • Reminder 1 – 11 days• Reminder 2 – 30 days• Reminder 3 – 45 daysAnnual Renewals:• Reminder 1 – 10 days• Reminder 2 – 20 days

• Individual Legal Counsel ActionReports

• Training

Steele Due Diligence Orders • OSI 3-5 days• EDD 14-21 days

24

Securimate Best Practices 1. Business Sponsor initial activities could be completed in 18 days

• This includes completing the Business Justification form, sending outthe BPQ to the Business Partner and reassigning the case to LegalCounsel once the BPQ is submitted.

2. Business Partner activities could be completed within 10 days• This includes completing the BPQ and executing the Anti-Corruption

Compliance Declaration

3. Legal Counsel activities could be completed within 25-30 days• This includes reviewing the Justification form, the BPQ, ordering and

reviewing Due Diligence and completing and uploading a contract withanti-corruption language

4. BPM Support resources should help streamline the process andprovide support through guidance, reporting and training

• Compliance Counsel support• BPM support

25

Closing the Gap – Gating Measures/Reporting 1. Business Sponsor Action Reports (bi-weekly)

• These reports include action items for completing the BusinessJustification, sending out the BPQ to the Business Partner, following upon the BPQ after 7 days and reassigning the case to Legal Counselonce the BPQ is submitted.

2. Legal Counsel Action Reports (bi-weekly)• These reports include action items for reviewing the Business

Justification and BPQ, ordering Due Diligence, accepting orders,uploading executed contracts and approving or denying BusinessPartners

3. Gating Measures (to be implemented)• BPQ Reminder Emails to Business Partners

• Currently there are no reminder emails, we propose to send them out at 11, 30and 45 days. Reminders have been translated into 21 languages andsuccessfully tested in QC system

• Turn off Profiles older than 90 days (after catch up of backlog)

4. Implement Annual Renewal Process with email reminders• Turn on renewals and email reminders (currently testing in QC)

• Send out reminders at 10 and 20 days and shut off at 45 days

26

Metrics - Best practice (with Gating)

Day 1 Day 16 Day 20 Day 35

Day 37

Day 90

Securimate record created/ loaded

Day 3

Activate account

Day 6

Complete Justification form & send out BPQ invite

BPQ should be received within 10 days

Day 18

Re-assign to Legal Counsel

Order due diligence

EDD – up to 15 days OSI – 3 to 5 days

Due diligence Accepted by requester

Day 45

Upload contract Approve/ Deny profile

27

Gating, Metrics, Reminders, and Action Reports

Day 1 Day 14 Day 30 Day 42 Day 90

1st email reminder Securimate

record created

2nd email reminder

3rd email reminder

Day 60

SHUT OFF: • Pending profile• Pending BPQ• Pending Case

Day 11

Day 3

Request access & Log in

Day 6

Complete Justification form & send out BPQ invite

BPQ should be received within 10 days

Day 28 Day 16 Day 45

Business Sponsor & Legal Counsel Action Reports

Business Sponsor & Legal Counsel Action Reports

Business Sponsor & Legal Counsel Action Reports

28

Notifications, Shutoffs and Waivers

1. Business Sponsor and Legal Counsel Action Reports• Reminders at 45 days and 75 days notifying users that they have 45

days and 15 days left to complete the on-boarding process

2. Shutoffs• Less a waiver is obtained, open Profiles/Cases that are not completed

are shut off at 90 days

3. Waivers• Sponsors and Legal Counsels can ask for a waiver for exceptions such

as contract delays, new sponsors, vacations, etc.• Waivers will require GC or Compliance Counsel approval• Waiver forms will be uploaded to the Securimate record

29

Renewals – Proposed Process/ Gating/ Metrics

Day 1 Day 10 Day 20 Day 45

Annual Renewal kick-off at 1 year anniversary

Prior year BPQ sent out to BP

SHUT OFF 1st email reminder

2nd email reminder

Day 14 Day 28

Business Sponsor Action Reports

Business Sponsor Action Reports

30

Custom Reporting

31

Custom Reporting – Business Sponsor

32

Custom Reporting – Legal Counsel

33

Roadmap For Today’s Conversation

Managing Due Diligence: TE’s Practice At a

Glance

Lessons Learned From A Peer: An In-Depth Look at TE’s Approach

Q&A and Feedback Session

Third-Party Risk Management: A

Brief Look at The Data

34

Third Party Resource Center: For a collection of best practices, implementation guidance, and member-donated tools

CEB Ignition Guide to Conducting Compliance Due Diligence: 7 step, 20 document guide to help you assess risk and build an effective process for conducting due diligence

Benchmarking Reports on Third-Party Governance, Risk Management Maturity, Due Diligence, Monitoring and Auditing, and Vendors

** Please go to the CELC web site to see all of the resources on this topic.

CEB Resources to Support Our Members

35

To submit a question or thought in writing: Log onto the webplatform at http://ceb-event.adobeconnect.com/celc121015/ andinclude your question or comment in the box entitled Submit aQuestion.

To join the discussion or to submit a question via the phoneline: Press *1 to be included in the phone queue. (Press *2 to removeyour name from the queue.)

Have a question or comment after today’s webinar? E-mail us atkuglerj@cebglobal.com with any feedback, questions, comments,etc.

Have a Question or Comment?

36

Thank You

Jennifer Kugler Principal Executive Advisor 1.818.788.4603 kuglerj@executiveboard.com