US Steel Tower Suite 4940 · 600 Grant Street · Pittsburgh PA 15219-2703 · USA

Reputation Resilience Assessment

******* ***** Inc

February 2020

Reputation risk is a potentially existential liquidity peril to a firm from the net costs of angry disappointed stakeholders. This report comprises suggestions for mitigating that risk through changes to existing enterprise risk management controls. The recommendations follow from an assessment of the Holding Company’s risk management apparatus evidenced in publicly available documents.

This report is the deliverable written work product pursuant to Steel City Re’s Standard Operating Protocol P3404. Steel City Re employs principles of informational and behavioral economics to provide reputation risk management and insurance solutions. Steel City Re is an overseas advisor to the Lloyd’s of London syndicate, Tokio Marine Kiln.

Page 2 of 32

Reputation Resilience Assessment

******* ***** Inc

February 2020

Contents Premise ....................................................................................................................................... 4Summary and Recommendations................................................................................................ 4Purpose of the Engagement ........................................................................................................ 8Administrative Background ......................................................................................................... 9Engagement Process ................................................................................................................... 9

Client Engagement Team ........................................................................................................ 9Schedule of Sources .............................................................................................................. 10Schedule of Quotes/People Lookup ...................................................................................... 10

Client Narrative ......................................................................................................................... 11Perils and Risk Management ..................................................................................................... 12

Risk Disclosures ..................................................................................................................... 12Loss of Talent .................................................................................................................... 12Impaired IT System ............................................................................................................ 12Compliance ....................................................................................................................... 13Financial Management ...................................................................................................... 13

Risk Issues in the News.......................................................................................................... 14Ethics/Gender/ESG ............................................................................................................ 14Ethics/Quality/Brand Safety .............................................................................................. 15Data & Data Privacy........................................................................................................... 16

Risk Management Apparatus ................................................................................................ 17Governance ....................................................................................................................... 17Senior Management .......................................................................................................... 18Controls ............................................................................................................................ 19

Page 3 of 32

Disclosures ........................................................................................................................ 21Quantitative Analysis ............................................................................................................ 23

Discussion ................................................................................................................................. 27About Steel City Re ................................................................................................................... 30Endnotes ................................................................................................................................... 30

[INTENTIONALLY LEFT BLANK]

Page 4 of 32

Premise Recent surveys of corporate executives from the highest performing firms reveal the current belief that reputational value represents no less than 76% of a firm’s value.1 Protecting this value with reputational resilience—the ability of reputational value to resist shocks—is possible only when a firm’s stakeholders choose to accept adverse news without heightened emotional responses that tend to precipitate long-tail economic damage. Informational and behavioral economics explain why stakeholders would make such choices and provide the theoretical framework underpinning the recommendations that follow.

Summary and Recommendations ******* ***** Inc. is a strategic holding company (the “Holding Company”) providing centralized legal, financial, information technology and risk management services for its portfolio of ********* *** ********* ************* ********. Its four greatest reputational risks comprise loss at its agencies of the talent underpinning the quality of its services, impairment of the integrity and security of its information technology systems, errors and omissions in its legal and regulatory compliance, and breaches of the ethical standards of its financial management. The Holding Company manages these reputational risks through a risk management apparatus (“Apparatus”) comprising governance, senior management, internal controls, and stakeholder disclosures. The Apparatus is objectively effective by Steel City Re’s risk metrics. The Holding Company is ranked highest in reputational value and lowest or average among its industry peers for risk factors shown to aggravate equity price declines in a reputational crisis. Subjectively, the Apparatus employs the full spectrum of reputation risk management tools and strategies; i.e. governance, senior management, internal controls, and stakeholder disclosures. Suggestions for improving the current Apparatus are enumerated below:

1. General Observation: a. The formal legal and compliance tone within the internal control documents

could be enhanced with an acknowledgment that legal and compliant behaviors may still produce significant reputational damage. This point is made in the 2019 Code of Conduct document. It is less clear in the Internal Control Line document. The phrase “suspected violations” ending paragraph 2 may benefit from expansion.

2. Governance

a. Oversight of the four major reputational risks is split between two Board committees. The Governance Committee is tasked with overseeing matters

Page 5 of 32

related to the Code of Conduct and business ethics, both of which are germane to both the risks to talent and the risks to financial ethic. The Audit Committee is charged with overseeing legal, compliance and cybersecurity risk. There may be benefit to identifying a process under the authority of the Board as a whole that can help reconcile the division of labor and ensure that certain reputational risk issues do not fall between the cracks, given their materiality.

b. Cybersecurity is often interpreted to include resilience to threats to a systems integrity (denial of service, ransomware, system collapse) and protection of data from human transfer and viral extraction. Given the importance of data integrity, fidelity and trustworthiness, a nod to this aspect of cybersecurity may be indicated.

3. Senior Management

a. The Apparatus layers comprising Treasury, Legal, Controller, Information Technology, and Internal Audit functions at the Holding Company level and management at the agency level collectively monitor and test company-wide policies and procedure. Is the Board confident that a common understanding of reputation risk throughout these leadership levels has been promulgated? If not, specific training to align governance with the managerial elements of the Apparatus may be indicated.

4. Internal Controls

a. Recruiting and retaining quality staff is an existential reputational risk. Several control and marketing documents touch on the subject: sexual harassment training within the review of Corporate Social Responsibility, the separate Code of Conduct, and the Holding Company’s Human Rights Policy. Separately, there is a dedicated executive officer for Diversity and Inclusion. This diffusion reflects a tension among three reputation risk management strategies: story telling with CSR, compliance processes, and the fusion of the two in the Diversity and Inclusion executive. Disability as a talent-related issue appears to be underserved with respect to the Apparatus when compared to Diversity and Inclusion. Harmonization among these elements to sharpen both the story telling and the controls may be a worthy investment.

b. In the matter of cybersecurity, do the existing processes, policies and procedures foster sufficient attention to data trustworthiness?

c. When discrepancies between behaviors and policies are exposed, the principal Apparatus group responsible for its management appears to be the legal department. Is there room to expand the discrepancy management model to include reputational considerations?

Page 6 of 32

d. There are several references to the processes by which decisions being made by the Board take into account the interests of all stakeholders or incorporate shareholder feedback as channeled through management. It is not clear how stakeholder interests other than shareholders wind their way back to the Board.

5. Disclosures

a. ******* ***** *********** argues that ****** brands ***** ******* should tell their story through “a union of science and art.” ******* as a Holding Company leverages the science of informational economics and the Apparatus for the benefit of its agencies to tell a reputation risk-aware story to certain stakeholders. This is more than reasonable with respect to reputation resilience, for it is a fact that stakeholders can not appreciate and value that about which they are not aware. As to what could or should be brought to their attention, there are several additional opportunities for telling a more robust story more widely. They include:

i. Metrics: Internal controls including metrics reporting the state of risk and its management for the top four reputational exposures: talent recruitment/loss, cyber system and data integrity, enterprise-wide compliance, and financial ethics.

ii. Processes: An overarching disclosure that discrepancies in compliance with company policies (as opposed to law of the land) are managed both with respect to what is required by the law and what is expected by stakeholders

iii. Quality of the Metrics and Processes: Third party attestations to the effectiveness of the internal controls, and the Apparatus more broadly, including process awards, financial solutions (such as insurances, warranties), and related tools of informational economics.

6. Risk Financing and Risk Transfer

a. In the setting of a severe reputational crisis, Steel City Re’s regression models project a **% drop in market capitalization in the first 4 weeks.

b. Discounting any benefits from improvements to the Apparatus and all things being equal, share repurchases during the year following the crisis and in the amount that is approximately double of what the company most recently executed, would be expected to restore the stock price to its original value.

c. Based on ****** **, 2020 share price of $**, a repurchase of **** million (***%) of the shares outstanding would cost in excess of $*** million.

Page 7 of 32

7. Miscellaneous Issues a. The proxy reports that the Peer Metric Group comprises **** trading names,

provided by the consultancy, *********. The currency of this list should be reviewed in light of recent M&A activity.

b. Website and Contents Discrepancies (see footnotes for URLs): i. © date: 20172 ii. Careers link broken3

iii. ©2018 ******* ***** Inc. All Rights Reserved. 4

8. Implementation Checklist a. Overall: Update legal and compliance risk language with reputation risk

terminology. b. Governance: Reconcile the oversight risk due to the shared responsibilities

between the Governance and Audit committees of the Board; adopt a more expansive definition of cybersecurity to speak to data trustworthiness.

c. Senior Management: Offer training to senior management at the Holding Company and Agency levels to ensure a shared definition of reputation risk and implications arising.

d. Internal Controls: Harmonize the legal, marketing, and risk management language among the many control documents; expand cybersecurity controls to foster data trustworthiness; enhance the attention of controls to include disability; and expand discrepancy management language to include reputational considerations.

e. Disclosures: Realize all the potential value created through improvements in the Apparatus by leveraging “the science and art” of post-advertising communications about risk management metrics, risk management processes, and validators of the quality of both such as attestations, warranties, and insurances.

f. Miscellaneous: Correct typos (Item 7). g. Lifecyle: Disclose changes, translate as indicated, train at the employee level if

and as where employee action is indicated, adjust executive responsibility and informational duties if and as where indicated, direct to the control hotline and other assurance loops to manage discrepancies, establish and monitor metrics for both success and risk, and review annually.

[INTENTIONALLY LEFT BLANK]

Page 23 of 32

Quantitative Analysis The quantitative analysis component of this Reputation Resilience Assessment serves two purposes. For risk transfer, it helps define the nominal value of trigger Loss Gates and the actuarially appropriate cost for linking an indemnification to that nominal value. It also helps define options for what limits would be appropriate for risk financing or risk transfer, with the selection subject to a firm’s risk management and financing strategy. For Holding Company, this application of the metrics has already been executed. The other purpose is to help the firm’s Board meet its duty of information with a reasonable view of potential future scenarios arising from an adverse event. These scenarios are informed by Steel City Re’ actuarial modeling and data analytics efforts and are subject to revision from time to time as both the actuarial foundation and operational experience expand. RVM Fundamentals (0.0000 precision)

Data Field Value Current CRR 0.9021 Current EWMA CRR VolWkVol Model 0.0256 Current CRR TTM VolWkVol Model 0.0172 Current InsInd 1.0577 Current EWMA InsInd Vol 0.0285 Current InsInd 2yr Vol 0.0297 Current InsInd TTM Vol 0.0255 Current ROE TTM 0.0293 Current ROE Rebased TTM -0.1866 Current EWMA ROE Rebased TTM Vol 0.0246 Current ROE Rebased TTM Vol 0.1070 Current 13wk CRR Vector 0.0095 Current 13wk ROE Rebased TTM Vector -0.1594 Simulator Bind CRR 0.8841 Simulator CRR TTM Vol (STDEV) 0.1090

Table 4: RVM Fundamentals, RVM_CRR-***-43880-8376-0.137-0.85-1.9-3-4_20200213.

The Apparatus is objectively effective by Steel City Re’s risk metrics. The Holding Company is ranked highest in reputational value and lowest or average among its industry peers for risk factors shown to aggravate equity price declines in a reputational crisis.34

Page 24 of 32

Rank of 12Ç ***** ***** Rank of 3**

Peak EWMA TTM 0.4 0.7 0.5 0.00 EWMA Position 0.2 1 0.4 0.00 Week Peak 0.2 1 0.4 0.00 Current STDEV Weekly Vol - 1 yr Trailing 0.3 0.6 0.5 0.00 Current EWMA - Prior 1 year Wk Vol 0.3 1 0.5 0.00 Current EWMA-STDEV Gap 0.5 1 0.1 0.50 Current Monthly Slope of Gap 0.2 0.2 0 0.50 Current Duration of Trend 0.1 0.7 0.1 0.00 Current Date 0 0 0 0.00 Current 1 year Shares Change - Trailing 0.2 0.8 0.3 0.00 Current 4 week Shares Change - Trailing 0.3 0.5 0 0.50 Current SPX Returns 0 0 0 0.00 Current Name Returns 0.81 0.9 0.63 0.50 Current Normalized Returns 0.81 0.9 0.63 0.50 TTM SPX Returns 0 0 0 0.00 TTM Name Returns 0.3 0.4 0.5 0.00 TTM Normalized Returns 0.3 0.4 0.5 0.00 Intangible 0.63 0.54 0.81 0.50

Table 5: RVM_CRR-***-43880-8376-0.137-0.85-1.9-3-4_20200213.ÇPercentileRank***to12PeerMetricGroupMembers;** PercentileRank***to3IndustryPeerGroupMembers

There are three factors companies may adjust that have been shown empirically to mitigate the impact of an adverse event on a firms’ stock price over the first year of a crisis. The first is structural, and relates to a firm’s book value. Firms with greater book value and less intangible asset value exhibit less volatility in the setting of a reputational crisis. Holding Company’s intangible asset fraction is 140%, placing it in the 63rd percentile among its peer metric group and midway between **** and ***. Its reputation value volatility for the past year averaged 1.72% and most recently its Exponentially Weighted Moving Average volatility measured 2.6% It’s share buyback policy reduced the number of shares outstanding recently by 3%. Based on Holding Company’s metrics and current models for equity performance after a major reputational crisis, Steel City Re projects the following loss scenario.

Page 25 of 32

Figure 2. Projected equity loss scenario in the face of a material reputational crisis involving talent, IT systems, legal and compliance process, or financial ethics.

It is currently believed that greater volatilities and intangible asset fractions will impair stock price recovery and that greater share repurchase volumes will boost stock prices. These impressions were derived from a quantitative deconstruction of twelve well-known reputation crises from this past decade and are consistent with modern theories of behavioral economics. Common patterns in timing, course, and magnitude of losses were analyzed. Quantitative risk factors for equity losses near-term, at one year, and at two years were validated through three statistically significant linear regression models (All, F test<0.01; R2>0.64), notwithstanding that the small size and non-random nature of the sample were suboptimal.34 In the year following an adverse event, these three factors account for 64% of the variance in equity price resilience. The only one factor of the three that is actionable is the share buyback volume, as described further below. The other 36% of variance is likely explained by facts and circumstances specific to the nature of the event and the quality of the crisis management effort following. Therefore, focusing only on the 64% of the variance explained by the model, and all other things being equal, the chart below projects what volume of share purchase could be expected to offset the equity value loss (Figure 3). The course of equity performance under two alternative share buyback scenarios is then illustrated (Figure 4).

Page 26 of 32

Figure 3: Post-crisis year one outcome. The regression model explaining 64% of the variance has F-test value of <0.01). Assumptions $79 current share price pre-crisis, 31% 4-wk equity value loss based on pre-crisis values of RVM% volatility 1.72%, prior year share change -3.05%, 140% intangible asset book value. Data sources: *** SOP 3101 Graphics of Losses Calculator 202000224; RVM_CRR-***-43880-8376-0.137-0.85-1.9-3-4_20200213.

Figure 4: Alternative scenarios of aggressive share buyback of **** million shares and no share buyback following a major reputation crisis. Data sources: *** SOP 3101 Graphics of Losses Calculator 202000224; RVM_CRR-***-43880-8376-0.137-0.85-1.9-3-4_20200213.

Page 27 of 32

Time (Years) High Base Average Low No Buyback Aggressive Buyback

-1.04 0% 0.0% 0% 0.0% 0.0% -0.04 0% 0.0% 0% 0.0% 0.0% 0.00 -9% -12.9% -17% -12.9% -12.9% 0.04 -26% -30.9% -35% -30.9% -30.9% 0.22 -20% -26.9% -34% -26.9% -26.9% 0.40 -20% -27.5% -35% -27.5% -27.5% 1.00 -23% -32.7% -43% -54.1% 0.0%

Table 6 Values for the alternative scenarios of aggressive share buyback of 16.7 million shares and no share buyback following a major reputation crisis. Data sources: *** SOP 3101 Graphics of Losses Calculator 202000224; RVM_CRR-***-43880-8376-0.137-0.85-1.9-3-4_20200213.

Discussion Reputation risk is a peril of impaired corporate cash flows caused by economically-relevant changes in the behaviors of aggrieved and emotionally charged stakeholders. It is a perennial top C-suite and Boardroom concern according to serial surveys,35,36,37 corporate regulatory disclosures,38 the governance, risk and compliance literature,39,40,41,42,43 CEO and director turnover notices,44,45,46 and D&O litigation filings.47,48 Strategies for mitigating the risk, according to nearly 40 years of qualitative marketing literature, are limited to pre-crisis virtue signaling through acts of corporate social responsibility,49,50 controlled marketing tone,51 and professionally managed crisis communications. This Reputation Resilience Assessment comprised a quantitative and qualitative review of the indicators of reputation risk and the robustness of the Holding Company’s reputation risk management apparatus. Turning first to the quantitative assessment the empirical data show that the dominant variable controlling equity value loss in a crisis is the pre-crisis one-year reputational value volatility (RVM% volatility). This underlying reputational value metric is generated algorithmically from cash flow expectations. The derived volatility measure reports the ability of a company to both manage and fulfill the expectations of its stakeholders. It is a measure of enterprise risk management quality and a testimony to the harmony with which a company’s operating, communications, and enterprise risk apparatus function. RVM% volatility is not a measure of the level of performance per se, but of the consistency of a firm’s performance in meeting the expectations it has set among stakeholders. Holding Company’s reputational value volatility measure is quite low reflecting very good management of the balance between disclosures and execution.