OPERATIONAL READINESS REPORT

FOR: Energy.Corp

1Sept 2017 – v1.1

Overview findings Assurance areasAssuranceArea Health* RelatedFindingNumber(s)*

FUNDING 001

ARCHITECTURE 002,003,004

SUPPORT 005,006,007,008

KNOW-HOW 009

CONTRACTS 010

PROCESS&TOOLS 011,012,013,014,015

RISK MANAGEMENT(SECURITY) 016

CUTOVERPLAN N.A.

*(R)ed, (A)mber, (G)reen** See Slides 9 to 15 detailed findings

2Sept 2017 – v1.1

Conclusion & RecommendationThe CONSLUSUION \ You will be operational ready or not , because of xyz

Our Recommendation \ Must-do actions regardless what and alternative approaches

3Sept 2017 – v1.1

Contents

• Scope, background & current status of the application• Objectives & Approach of the Readiness Scan• Findings in detail• Overview findings KEY assurance areas• Conclusion & recommendation• APPENDIXES

4Sept 2017 – v1.1

Scope, background & current status of the serviceThe BACKGROUND \.. In2014individualinitiativesintheSolarpower(SP)and ZeroPointEnergy(0P)divisionswerestartedtodevelopanddeliveranewtoolforcostestimating:

• SP: GlobalnormsProject

• 0P: ReplacementofcurrentMTOtypeofestimatingtool(s)

Main reason for change \.. thedirectivefromGlobalIT4IT, Energy.Corp isnolongersupportingDbaseandspreadsheetapplications(obsoletetechnologyandsecurityweakness).Itisacknowledgedthatlegacysystemshaveflaws,aresecurityweak,areinconsistentandneedtobereplaced.Similarrequirementshavebeenidentifiedinbothsectorstostore/maintainnormsandtoprovideestimating/contractingfunctionalityforEnergy.Corp andhercontractors,resultedinajointdevelopmentofagroupIT4ITsolution.

5Sept 2017 – v1.1

Scope, background & current status of the serviceInvestment Proposal \.. SolarPowerhasan(14MUSD)investmentproposalalreadyinplaceandthetooldevelopmentwasdoneincloseconjunction(sharingcosts)withZeroPointEnergyonthebackofit.TheInvestmentproposalcalledTheGlobalScheduleofNormsprojectwasfor:

• 1.DevelopmentofGlobalNormsforkeydisciplines

• 2.DevelopmentofContractTemplatestoexecutethosenorms

• 3.Deliveryofaweb-basedContractCostEstimatingSystem(CCES)toholdandmaintainthenormsandtocalculatethecostoftasksexecutedthroughthecontracts.(Estimating)

ThedevelopmenthasalwaysbeenanjointmanagementbetweenSPand0P.OverallownershipremainedinSP,thesupportmodelisalsoSPwhereastheGlobalfunctionalknowledge(GlobalSME)resideswith0P.SPmanagestheIM/ITportfolio.Tool.ltd,thevendorownstheIntellectualProperty,thesystemwillbeusedbyotheroperatorsthanEnergy.Corp.

6Sept 2017 – v1.1

Scope ,background & current status of the serviceThe Scope \.. CCES(ContractCostEngineeringSystem)ispredominantlyaMTO(MaterialTakeOff)estimatingsystemforthecreationofType3and4estimates

• ThesystemisaEnergy.Corp supportedsystemforestimating(andcontrol),anditprogressivelyreplacesexistingapplicationsforbothSolarparkandResearchfacilitymaintenance,turnaroundandprojecttasksinbothSPand0P,andinsomeplacesisusedtointroducetransparencyincontracts(utilizationofnormsandCostItems)

• 3rdpartypersonnelarethemainusersofthesystem,andthisisreflectedinthefunctionalarea’sandbusinesscontrolsetup,Energy.Corp staffapprovestheestimatesandprogressforpaymentpurposes

• CCESisaWebbasedapplication,aEnergy.Corp IT4ITsolutionwithcommonITstandardandGroupITarchitecture

• Uponcompletionofanestimatefromwithinacontract,subsequentapprovaloftheestimate,andafterexecutionoftheworktheprogress/payment,adownloadcanbegeneratedtofeedtheServiceentryrequirementsintheERPsystem.

7Sept 2017 – v1.1

Scope ,background & current status of the serviceCurrent status:

• VersionB.1.27issuccessfullyrolledoutallovertheGlobewithtodatesome6000estimatesinthesystem.BothSPand0PandtheircontractorsarewithinEnergy.Corp themajorusersofCCES.17000licenseshavebeenpurchasedtodatebutthisisagrowingscenario.

• Energy.Corp andTool.Ltd arecurrentlyintheprocessoffinishingdevelopment/testingVersionB.2ofCCESenhancingfunctionalitytobusinessrequirements

• AnumberofInterfaceshavebeendeployedandarebeingsupported.Howeverinterfacesinitiallyhavebeendeployedisolatedwithoutanyrealarchitecturalconsiderationfortheoverallsolution.Architectureoptimizationandinterfacerationalizationprojectsareplannedfor2018and2019.

8Sept 2017 – v1.1

Objectives & Approach of the Readiness Scanthe OBJECTIVE\ .. ofthisReadinessScanistoassestheOperationalReadinessoftheServiceandestimatetheeffortrequiredtotransitiontheServicefromtheOldManagedServiceProvidertotheNewManagedServiceProviderthe APPROACH\ .. TheresponsibilityofthetheNewServiceProviderforservicesintheircareprimarilylieswithensuringthattheapplicationavailabilitycanbeassuredaccordingtotheagreedservicetier(Continuity)andtheadherencetoInformationRiskManagementRequirements(Compliance).Inordertoensurethisevery(new)applicationhastomeetapre-definedsetofrequirementsdescribedintheOPSASTOworkbook.Thoughinterviewsandbyscanningdocumentationandit’savailabilityweassesthecapabilityoffulfillingtheOPSASTOassurancesandregistertheGAP’s.* Asthisisanpre-projectduediligence,theassessmentofProjectDeliveryassurancesforanin-flightprojectisoutofscopeandnotincluded.

9Sept 2017 – v1.1

Budget

Health ID Finding Detail

001 Budget- OperationalExpenses(OPEX)

WehavenotbeenabletogetanclearandcomprehensiveoverviewoftheOPEX of theCCESservice.

Wehaveidentifiedfourmaincostelements.

1. (thevendor)whochargesthecostsforusageoftheirplatformandasapercentageofthedollarvalueofthetransactions.Butthisdoesnotincludethedata storageandbandwidthcosts, forwhichconsumptioncostsarechargedadditionally.

2. BusinessSupport>>noindicationofchargingmodel,probablyrollupatgrouplevel.

3. InterfaceSupport>>ERP,MiddlewareandOther– noindicationofchargingmodel,probablyrollupatgrouplevel.

4. Energy.Corp GovernancecostsforCCES.Thesecostshavenotbeenestimatedandarenotincludedinthebudgetestimates.

10Sept 2017 – v1.1

Architectural Assurance

Health ID Finding Comments

002 SingleSign-on SingleSign-onmechanismmightbreakafteranCCESupgrade(Tool.Ltdcannot/doesnottest this).However userscancontinuetologinbymanuallyenteringtheircredentials

003 UnknownInterfaces Itcouldbethereareinterfaceswecurrentlydonothaveontheradar.f.i. itisnotclearwherethecrystalinterfaceshouldfitincurrentlandscape.

004 Test/AcceptanceEnvironment

Tool.Ltd usesatest/acceptanceenvironmentfortestingnewrelease,butthisenvironmentisdifferentfromtheproductionenvironment.Onseveraloccasionsanewreleasehasledtosignificantdisruption duetoerrors, eventhoughinacceptancenoerrorswherefound.It issuspectedthatpartofthedifference istobeexplainedbynothavingaproperestablishedtestapproach(fullintegration,unittest, etc).Tool.Ltd wouldf.i.generatetestfileswithhumanintervention andTool.Ltd doesnotreallydouserregressiontesting.

11Sept 2017 – v1.1

Support Model

Health ID Finding Comments

005 SuperUserFunction(SupportModel)

thereisansuperuserfunctionpresentwhichisstaffedbySolar Power personnel.TheSuperusersareabletosolvearound70– 80%ofthefunctionalsupportrelated

006 Tier1technicalsupport(SupportModel)

Tier1supportfunction\..IsprovidedbytheOldServiceProviderServiceDesk.Issues canberaisedviaphone,emailorawebform andServiceNow isusedasticketingsystem.Knowledgeand/orpersonnelwillneedtobetransferredtoNewManagerServiceProvider ServiceDesk.NewManageServiceProviderServiceDeskdoesnotprovidePhoneSupport

007 Tier3supportfunction ATier3supportfunctionisprovidedbytheapplicationvendorsTool.LtdTool.ltd usesit’sownticketingsystem.Tool.ltd hasrepeatedlynotbeenabletomeetKPI’s.Tool.ltd holdsIPoftheapplicationhenceitwillbedifficulttochangethesupportproviderforthisfunction.

008 Tier2Support aTier2supportfunctionisprovidedbyan3rd partyoffshoreteam.Theteamisworkingintwoshiftsintwolocations.OnBrazil,andoneIndiabasedshiftbothworkingonlocalofficehours.The3rd partyiscurrentlynotoneoftheNewServiceProviderPartners,KnowledgewillneedtobetransferredtotheNewServiceProvider.

12Sept 2017 – v1.1

Know-How

Health ID Finding Comments

009 Documentation Wehaven'tbeenabletofindalmost*anytechnicaldocumentation,architectureordesigndocumentationfortheinterfaces(*wehavebeenabletofindandarchitecturediagramwithaas/isoverviewandaroadmapfor2016&2017,howeverthearchitectindicatedthattheas/isdrawingcouldbeincomplete.

13Sept 2017 – v1.1

Contracts

Health ID Finding Comments

010 EndToEndaccountability

ThereisnoEndtoEndresponsibilityforservicelevelsandlimitedintegrationbetweentheindividualsupportfunctions.TheTransitionprojectwillneedtodevelopandagreeaviewontheextendoftheNewManagedServiceProvider responsibilityandtherequiredlevelofintegration.

14Sept 2017 – v1.1

Processes and Tools

Health ID Finding Comments011 Ticketing Tool TheBusinessSupportFunctiondoes nothaveaproperticketingsystem inplace.

Currentlyarudimentarysolutioninsharepoint isused.

012 Ticketing Tool Tool.Ltd usesit'sownticketingsystem. ThereisnoagreementabouthowticketsshouldflowbetweenTool.Ltd andtheEnergy.Corp supportfunctionsisinplace.Thetransitionprojectwillneed todevelopandagreeasolutionforthis

013 KPIReporting ThereisnoKPIreportinginplace. Dependingontheoutcomeofthelevel(E2E)responsibilityoftheNewManagedServiceProviderasolutionwillneedtobedeveloped.

014 ServiceManagementProcesses

Therearenostructured processesinplaceforincident,changeproblemandreleasemanagement.ItisadvisabletohavetheTransitionprojecttaketheremediationintoit’sscope,howeverstrongcommitmentfromthebusinesssupportfunctionsisrequiredinorderforthistobesuccessful.

015 Release testing Tool.Ltd doesthreemajorreleasesperyearandseveralminorreleases.Theimpactontheinterfacesisnotincludedinthe testingactivities.Tool.Ltd usesa"pushandaccept"releaseapproach,thereisalimitedtimewindowtotestthereleaseandEnergy.Corp hasnooptiontohaltarelease.

15Sept 2017 – v1.1

Risk Management (Security)

Health ID Finding Comments

016 BusinessImpactAnalysis(BIA)

TheonlyinformationIhavebeenabletofindwasfromtheinitialreleaseprojectfolders.

ThisholdsanBIAdatedDecember2014. AsthisBIAisalmostthreeyearsoldtheassessmentneedstobeupdatedagainstcurrentstandardandsituation.HoweverInthe2014BIAconfidentialityandintegrityareratedashighandthereisafootnoteaboutbusinessriskswithregardstoreputation,deliveryandcontractmanagement.

thereisexternalaccessfromvendorstotheapplication.

ItisassumedthattheapplicationisbusinesscriticalhoweverIhavenotbeenabletoconfirmthis

Ina2017BIAthiswillverylikelybeamidorhighriskapplicationandandcontrolswillneedtobeinplace.Ihavenotbeenabletoassesifcontrolsareinplace.

16Sept 2017 – v1.1

list of interviewed people and consulted information sources • Lee Brown – Service Desk Lead - 3rd Company• Karla Gelb – IT Manager Energy.Corp• Natasha Martinoska – Service Delivery Manager, New

Managed Service Provider• Wah Leng Tan – Business Process Owner• Michael Warren – Developer Tool.Ltd• Project and Service Management documentation

17Sept 2017 – v1.1

Hidden slide – traffic lights

18Sept 2017 – v1.1