The Final Frontier Enterprise Risk Management is

The Final Frontier

Enterprise Risk Management is the discipline by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organization’s short and long -term value to its stakeholders.

Conceptual Framework ERM Framework Types of Risk Process Steps Hazard Establish Context Identify Risks Financial Operational Strategic Analyze/Quantify Risks Assess/Prioritize Risks Treat/Exploit Risks Monitor & Review

Typical Risk Matrix

Risk Model Maturity Spectrum Comply with Regulatory Obligations Profile Protect Shareholder Value EARTH FINAL FRONTIER Basic Characteristics Enhance Shareholder Value • Manages risk of infractions • Provides limited protection Moderate • Uses risk management tools • Protects assets and shareholder value More Shareholder Value Advanced • Integrates risk measures across enterprise • Enhances shareholder value

Overview of Enterprise Risks § Hazard Risks include risks from: q q q q Fire and other property damage; Windstorm and other natural perils; Theft and other crime, personal injury; Business interruption; Disease and disability (including work-related injuries and diseases); Liability claims; War, and Terrorism.

Overview of Enterprise Risks § Financial Risks include risks from: Price (e. g. asset value, interest rate, commodity); q Liquidity (e. g. cash flow, call risk, opportunity cost); q Credit (e. g. default, downgrade); q Inflation/purchasing power; q Hedging/basis risk, q Taxes; and q Currency fluctuations. q

Overview of Enterprise Risks § Operational Risks include risks from: q q q q Business operations (e. g. , human resources, product development, capacity, efficiency, product/service failure, channel management, supply chain management, business cyclicality, demand for services); Empowerment (e. g. , leadership, change readiness); Information technology (e. g. , relevance, availability); Information/business reporting (e. g. , budgeting and planning, accounting information, pension fund, investment evaluation, taxation); National disaster; Failure to identify market trends; and Failure to properly document deals and transactions.

Overview of Enterprise Risks § Strategic Risks include risks from: Reputational damage (e. g. , trademark/brand erosion, fraud, unfavorable publicity); q Competition; q Customer wants; q Demographic and social/cultural trends; q Technological innovation; q Capital availability; and q Regulatory and political trends. q

Overview of Enterprise Risk Management Mitigate Establish Context Identify Risks Analyze/ Quantify Risks Monitor & Review Assess/ Prioritize Risks Treat/ Exploit Risks

Practical Considerations in Implementing ERM q Designating an ERM “Champion” q Making ERM part of the enterprise culture (“tearing down the silos”) q Determining all possible risks of the organization q Quantifying operational and strategic risks q Lack of appropriate risk transfer mechanisms q Monitoring the Process q Start Slowly – Build Upon Successes

Critical Success Factors in Implementing ERM Management Buy-In Leadership Follow up

Opportunity for Legal Officers Take leadership role in risk identification and mitigation Move beyond compliance to other risks facing the company and how they may have legal consequences Preventive/proactive lawyering Consider attorney client privilege implications Springboard for ethics and compliance initiatives

Compliance Program in Context of ERM Universe ERM COMPLIANCE PROGRAM

What is a Compliance Program A program to ensure that a Company has an ethical/compliant culture, minimizing risk to the Company, its Directors and Officers of criminal/financial liability, while maximizing the credit available under the United States Federal Sentencing Guidelines in the event of a violation of law.

USSG Seven Criteria 1. 2. 3. 4. 5. 6. 7. Written policies and procedures (code of conduct) Specific high level personnel assigned to oversee compliance program Communicate standards to all employees/agents; required participation in training-publications explaining program Auditing and monitoring Method for reporting non-compliance without fear of retaliation (anonymous or confidential reporting) Consistent discipline for non-compliance Reasonable steps to respond and prevent

Why Have a Compliance Program Caremark case: Directors must ensure that a company has a system designed to detect, monitor, prevent and report any significant lack of compliance with applicable law. Holder/Thompson Memos/SEC Position: Decisions whether to prosecute companies involve the questions of 1) whether upper level management was involved in the misconduct, 2) whethere was an effective compliance program, 3) the company’s criminal history, and the industry self-policing/reporting standards. Federal Sentencing Guidelines: Company may significantly reduce sanctions, fines and penalties if it has an effective program to prevent and detect violations of law, the hallmark of which is due diligence. A $6 M fraud matter will produce a fine of $8. 4 to $16. 8 M for a corporation without a compliance program, which may be reduced to as little as $300 K for a corporation with an effective compliance program.

1. Establish standards & procedures reasonably “capable of reducing… prospect for criminal conduct” Are the Code of Conduct and other policies simple, internally consistent and easily followed? Is there a process for identifying, capturing and addressing material risks? Is there a process to identify compliance issues early in the development of new or changing business models and laws? Is there a process to update policies and procedures? Do they cover all employees and other agents?

2. Assign oversight to specific high-level personnel Who serves as Compliance Officer? - Does the Compliance Officer have all appropriate access and all necessary resources? - Does the Compliance Officer have the right level of independence? - Does the Compliance Officer report directly to the CEO/GC/Audit Committee? - Does Compliance Officer review exception to Code of Ethics? Is there Board oversight? - Audit Committee or not - Employee Certifications - Conflicts of Interest

2. Assign oversight to specific high-level personnel [continued] Corporate commitment - Is there strong executive leadership commitment as demonstrated by communications, actions, budget (especially during tough economic times)? - Do regular business reports include compliance matters? - Are senior executives involved in the development of company policies?

3. Use due care to avoid individuals with bad propensities Are there employee screening/background checks? Do performance reviews include ethics/ compliance?

4. Effectively communicate standards to employees Is there a vigorous process for the development and implementation of compliance training? Is there a comprehensive communication plan addressing: turnover language barriers level of communication (6 th grade v. college), channels of communication timing for each type of communication (new policy, reminder, change in business or business practice, training, etc. ) - brochures, webinars, etc. -

Training Issues How often is training offered/repeated/updated? Who is trained? Does everyone receive the same training? How is the training accomplished: in person, Web based? Brochures How is the format determined? Is appropriate training mandatory?

5. Monitoring, auditing, and using reporting system (without fear of retribution) Is there a vigorous program of internal audits and on-site, in-house or outside legal audits? Is there a reporting system that allows anonymous reporting, protecting identities to the extent permitted by law and consistent with the policies of the Company’s Code of Conduct? Are there incentives for compliance as a job performance element/penalties for failure to perform?

6. Consistent & Appropriate Discipline Is there a well-articulated, even-handed, evenly enforced disciplinary policy? Does the company dismiss/discipline high level managers for violations? Are there robust mechanisms to discover and take appropriate disciplinary action in response to violations of law and policy?

7. Take “All Reasonable Steps” Does the company develop proportional and timely responses to mistakes? Is there an honest evaluation on an ongoing basis to anticipate new issues and improve the program? ERM is Next Step

Compliance Pitfalls Boilerplate programs Standards without established procedures Double standards regarding discipline Poor communication Lack of enforcement Constrained resources Disconnect on risk/benefit analysis

“LIVE LONG AND PROSPER” Mr. Spock

~ Thank You ~ Mark L. Jones Jackson Walker L. L. P. Corporate Partner 1401 Mc. Kinney Street Houston, TX 77010 713 -752 -4224 mjones@jw. com Susan M. Ponce Halliburton Senior V. P. & Chief Ethics and Compliance Officer 2107 City. West Blvd. , Bldg 4 - 13 th Floor Houston, TX 77042 713 -839 -4509 Susan. Ponce@Halliburton. com