Welcome to Control Risks Presentation

| March 2015

Tom Bruun Andersen, Market Director NorwayNiels Lindholm, Associate Director CIIT Western Europe

Compliance

We enable our clients to succeed in complex environments

Control Risks is a global, independent risk consultancy specialising in political, integrity and security risk

Since 1975 we have worked in over 150 countries for more than 5,300 clients

Served Norwegian clients since 1985

Trusted advisor to more than 80% of the Fortune 500

36 offices on 5 continents

Ethical and independent

We monitor and advise organisations on political, operational and security issues across the globe

2) Scope of work

Security threats

Conflict Political violence Strikes, riots and civil

commotion Kidnap-for-ransom Petty crime Violent crime Domestic terrorism International terrorism Direct action

Strength & independence of judicial system

Capacity of law enforcement Labour issues/industrial

action Efficiency & probity of

bureaucracy Administrative corruption High-level corruption Weak infrastructure

International business issues Corporate responsibility Corruption Intellectual Property

protection Money-laundering

Key information Key facts Key political figures (head of

state, prime minister, ruling party, other parties)

Key players Key issues

Politics and economics Political system Government and opposition Succession Insurable political risks External risks Economic stability: General condition Government management Foreign investment Key sectors

Security threats Operational threats Political threats

13 March 2015

How to maximize the value of integrity due diligence?

Our assumptions

You do not want to hear too much about FCPA or UKBA

or you have heard enough, or you will hear enough later

You are familiar with IDD requirements

Thanks to your FCPA, UKBA experience and regulatory and ethical commitments

You wonder how to extract value out of IDD investments

It’s always difficult to prove a negative, i.e avoidance of the costs of something going wrong, but did not happen thanks to your IDD program

Our assertions

Business ventures should be subject to a holistic risk assessment

outbound M&A is intrinsically high risk and the risk profiles need to be defined

IDD programs run better when they are proportionate and integrated

Local knowledge of operating environment essential / There is no one-size fits all

It’s the use you make of the IDD that will trigger its value

Value of “Check The Box” IDD harder to demonstrate

The value is in the acquired intelligence used to wise up business decisions and build a culture of good governance

The value is delivered throughout the life cycle of the project

Hang on a minute. Before getting on to risk assessments and intelligence…

What is Risk?

“the effect of uncertainty on objectives”ISO 31000 (2009)

“The likelihood of an event, and its impact on objectives.”

How do we assess it?

“The likelihood of an event, and its impact on objectives.”

Source Item, group or activity that has the potential for impact.

ThreatFactor (motive / condition) that could lead a source to cause an event (identify intention and capability)

VulnerabilityMeasure of ability to anticipate, prevent, resist, respond and recover from an event (ie your exposure)

Risk

What is integrity risk?

Lack of Transparency

Financial crimes typically seen as “internal company issues”

No Independent Oversight

Asset or liability?Political Connections

Significant integrity risks related to business partners and counterpartiesReputational

Extended and often convoluted third party networks raises anti-bribery and corruption risks

Complex Network

Opaque business practices and low disclosure requirements

The most common integrity risks companies face when investing include:

What risks do you assess, before investing?

Data room Public domain

information (Overt) intelligence-

gathering (Internal) institutional

knowledge

Financial

Legal

Commercial

What are the objectives?

Strategic value add?

Fair (risk-adjusted) value?

Seamless integration?

Commercial potential?

Reputation and Regulatory impact?

What is the risk appetite? Compliance and ethics

tighter than regulatory requirements

Needs to be defined early on

Early warning IDD (red flags) can save you time upfront

Need to factor Risk financing in the valuation

Third party risk environment – understand the inherent risk level

Move beyond the data room and consider the ways in which intelligence-gathering can help you:

compliant < risk-based < strategic

Crucial to managing your exposure is knowing your business partners and third parties, and understanding:

What is the risk of corruption and fraud in this country?

Who is behind the subject business? The subject’s connections, other

interests, track record, profile, reputation and integrity

What are the major third party risks? According to sources across the marketplace

Target company Industry Country-level

What a risk-based due diligence can deliver

Financial

Legal

Commercial

Target Valuation

Deal Structure

Management Liability

Bargaining Power

Operational Optimization

Legal Safeguards

Integration Planning

Reputation

Gov’t Relations

Shareholder Action

Post-trans Costs

Fully-Integrated

Acquisition

How does it work? >>>Proportionality

Step 1 – consensus building = macro view + red flags exercise

Step 2: Pre-due diligence: Identify high-risk areas / refine IDD

parameters

Step 3: due diligence phase = identify vulnerabilities and

hidden risks / scope proportionate to risk

Step 4: Agreement phase = leverage intelligence to better shape the deal /

determine mitigation needs

Roll out compliance program: Integrate,

train, monitor, respond

How does it work? >>>> Integration

Fully-Integrated

Acquisition

Data room Public domain

information (Overt) intelligence-

gathering (Internal) institutional

knowledge

Financial

Legal

Commercial

Macro to micro...

1. Political, sectorial, regulatory risk begin to understand the “third party” environment

2. Integrity risk assessment, with third parties a focus (what will the data room not tell you?)

3. Discreet intelligence gathering in to relevant third parties and your target’s business model

= Risk-based approach will add strategic and tactical value

Refine risks as you progress

Develop remedial plan with all risks in mind

Execute plan

Sustainable business practices

• Widen concept of “third parties”

• Consider key political and regulatory issues, communities and stakeholders

• Build up resilience

Know your costs and remediation

• Reassess asset value

• Remove bias

• Take high quality decisions

• Integrate within ERM

Intelligence-driven DD

• Move from “overt” to “covert”

• Adds business value, don’t just identify issues

Use intelligence, move from vulnerabilities to remediation, achieve sustainability…

Ongoing risk assessment within the ERM framework

You know the score on FCPA:

Successor liability: risks survive the transaction

Key steps to reduce liability: “Investigate, Disclose, Remediate, Cooperate”

Key case studies: GE/InVision (2004); Lockheed/Titan (2004); KBR/Halliburton (2009); AllianceOne (previously Dimon and Standard) (2010,2011); Pfizer/Wyeth (2012)

However, this was never enough.

Move from “corrupt practices” to “integrity risks”; make the due diligence count strategically, tactically as well as legally, compliantly.

How are businesses responding?

Control Risks surveyed 638 senior legal and compliance professionals from around the world.

Source: International Business Attitudes to Corruption Survey 2014-15

Manage your processes and information flow

Practical guidance in high risk jurisdictions

There are risks associated with doing business in new frontier markets where corruption can be systemic and entrenched, in part due to:

Dealing with governments or state owned or controlled entities,

Having regular contact with government officials, and

Depend on third parties ie intermediaries

But is that a cause to abandon business development due to corporate ethics and anti-bribery regulation?

Be known for doing the right thing

Jay Ireland, President and CEO, GE Africa,: “If you can be seen as a company engaged in the country’s long-term

development, and explain the benefits you and your team bring to support that development, it shows real commitment. Most importantly, it shows that

you’re here to stay.”

Tullow Oil Director, Aidan Heavey “if you start off doing things properly, people respect you for it, and when

you’re there for the long haul, politicians change, people change. You don’t have to be big like GE to participate in that dynamic”

Focus on good governance

• Focus efforts on “how a business obtains good governance” rather than on “how it avoids corruption.”

• The “just say no” approach of many compliance practitioners is far less efficient than the corporations that work with local governments in order to strengthen the systems of governance at the technical, institutional, and strategic level.

• Institutional systems that work well reduce the scope for human inconsistency, including corruption and fraud. This includes explaining FCPA and IDD requirements on the third party environment.

• In other words, help tackle the problem of governance, not the output of corruption, to make real progress towards ethical conduct and clean commerce.

• Don’t be fooled – rely on intelligence to always know more than you are willing to say

Embedding a culture of compliance

Business strategy:

Treat compliance as a strategic objective and competitive advantage

A value creator, not a cost driver

Incentives:

Review the potential impact of staff incentives on their business principles

Sales targets – are they compatible with the environment? do they introduce risks?

Resources:

Ensure involvement of business leaders, senior managers

Risk-based approach – Higher risk demands higher investment in ABC resources and controls

Communication:

Training – Ensure employees understand and accept responsibility for ethical behaviour

Intelligence:

“Be aware” – Whistle-blowers, Third party checks, ABC assessments

Confidentiality is key

In conclusion….

Legal / compliance / DD = commercial / integrity / value

GCs and CCOs can leverage intelligence from IDDs to generate long term value

Risk-based approach = maximize opportunity

before, during and after outbound M&A

Embed the process in the organization, bring in all stakeholders

a real opportunity for successful inter-disciplinary work

A requirement for building a culture of compliance

Questions?