NEACS:CRO Perspective

William FeherVice President, Internal Audit and Chief Risk Officer

October 27, 2015

CRO PerspectiveSpeaker’s Bio

October 27, 2015 2NEACS:CRO Perspective

William FeherVice President, Internal Audit and Chief Risk Officer

Bill serves as Vice President Internal Audit and Chief Risk Officer for ITT Corporation where he is responsible for overseeing the activities of Internal Audit, Risk Management (Insurance and ERM) and Business Conduct (Ethics Programs). He has more than 28 years of experience, having previously worked for EMCOR Group, Inc., Gartner Inc., Ernst & Young LLP, and PricewaterhouseCoopers LLP. Bill is a board member and President of the Fairfield/Westchester County Chapter of the Institute of Internal Auditors, a member of Financial Executives International and the Connecticut Society of CPAs and a volunteer member of the Finance Committee of Make-a-Wish of Connecticut.

About ITT Corporation:

ITT is a diversified leading manufacturer of highly engineered critical components and customized technology solutions for the energy, transportation and industrial markets. Building on its heritage of innovation, ITT partners with its customers to deliver enduring solutions to the key industries that underpin our modern way of life. Founded in 1920, ITT is headquartered in White Plains, N.Y., with employees in more than 35 countries and sales in a total of approximately 125 countries. The company generated 2014 revenues of $2.7 billion.

3

Bill Feher,VP, IA

Chief Risk Offi cer

Internal AuditEnterprise

Risk Management

Ethics Risk Mgmt. & Insurance

Chief Financial

Offi cer

Audit Committee of

the BOD

CRO PerspectiveSpeaker’s Bio

NEACS:CRO Perspective October 27, 2015

CRO PerspectiveTheme for Today

4

“No longer is cyber security the concern of only the Chief Information Security Officer or the Chief Information Officer.

Increasingly boards of directors and management teams are turning to their Chief Risk Officer for an independent view of how cyber risk is managed across the enterprise.

An important part of the solution is a strong partnership with all of the stakeholders in cyber security.

This session will share strategies and success stories.”

October 27, 2015NEACS:CRO Perspective

CRO PerspectiveOverview of Discussion Topics

October 27, 2015 5NEACS:CRO Perspective

Enterprise Risk Management and IT Risk

What does a Chief Risk Officer do?

How ITT Manages Risks

Solutions and Success Stories

Where do we go next?

Q&A

6October 27, 2015NEACS:CRO Perspective

CRO PerspectiveERM and IT Risk

CRO PerspectiveWhat does a Chief Risk Officer do?

October 27, 2015 7NEACS:CRO Perspective

Aligns the company’s risk management approach with strategic objectives and oversees Enterprise Risk Management (ERM).

Communicates risk information to the Board of Directors and to management. The CRO is often the liaison between the Board, management and the risk management function.

Establishes and maintain adherence to risk appetite/ threshold.

Monitors emerging risks across the enterprise. Establish and maintain early warning systems/forward looking indicators to evaluate and asses emerging risks.

Drives a culture of risk awareness and discipline.

Fosters cross-functional collaboration, ownership and accountability for all employees with the appropriate responsibility commensurate with the job responsibilities.

Reports to the CFO (next most commonly to the CEO). Some CROs have direct board reporting, especially those who have a hybrid role in small to medium size companies (ITT structure).

Stakeholders: Shareholders, Board, Management and Functional Leads, Regulatory Agencies, Customers, Suppliers, Lenders

CRO PerspectiveHow ITT Manages Risks

October 27, 2015 8NEACS:CRO Perspective

CRO PerspectiveSolutions and Success Stories

October 27, 2015 9NEACS:CRO Perspective

Third Party/SaaS Reviews

• Approval committee participation to vet potential vendors

• Due diligence questionnaire and risk evaluation

• CRO support of the CISO and security team with business owners

Disaster Recovery/BCP Support

• Co-sponsorship of DR framework development with the CISO

• Management buy-in support

• Implementation advisor, strategist and Board communicator

Business Case Support

• Data Center strategy review

• Key IT Initiative Steering Committee support

Board of Director Reporting

• Enterprise Risk Management – Annual Cyber Security Assessment

CRO PerspectiveWhere do we go next?

October 27, 2015 10NEACS:CRO Perspective

Evaluate effectiveness of Cyber Security Risk Management and constantly adjust

Partner with your CRO (and CAE)

• He/she can be a great supporter and catalyst

Focus on employee engagement and education

• Coordinate employee training activities with your CRO and other functional leads

• Other functions are your business partners

Finance – watch for phishing and spam, finance is a frequent target

Human Resources – consider core competency evaluation for strong cyber awareness and prevention techniques

Legal – coordinate on use of third parties and contract language

Insurance/risk – explore Cyber Insurance

CRO PerspectiveQ&A

October 27, 2015 11NEACS:CRO Perspective

Thank you for listening and your feedback is welcome!

william.feher@itt.com