Request for proposal

Data Loss Prevention

(DLP) Strategy
July 2018
Protiviti supporting information
2.3 Innovation
We encourage you to be innovative when providing proposals and solutions to Aberdeen. Please provide an overview
of how you ensure continuous innovation across all areas of your company, including a couple of recent examples of
such innovation.

1. Innovation increasingly underpins all that we do in Protiviti.

2. We have a structured, ongoing innovation program which rewards employees for ideas that help Protiviti
and our clients and run regular, global, innovation challenges with four goals:

a. Promote and encourage Protiviti’s culture of Innovation

b. Build teamwork and cohesiveness

c. Practice skills in creating innovative ideas

d. Solve specific challenges set out by Protiviti leaders

3. We have a specific focus on digital innovation driven by our Global Head of Digital, Jonathan Wyatt, who is
based in London and who regularly uses London for incubation of ideas. In a hackathon early this year, the
winning team came up with an idea to automate aspects of Protiviti’s GRC Portal implementation. This is now
being done successfully in client projects who are benefiting from the efficiency and quality this provides.

4. Overall innovation and digital innovation are now supported by Innovation Sites, one of which is also
in London, one of three offices selected globally.

5. In service delivery, we are disrupting our core Internal Audit practice by introducing process analytics tools
to drive wider and deeper coverage of process oriented audits. We have similar work occurring within
Technology Consulting, where we are using Robotic Process Automation to decrease the use of manual
access provisioning. In our Risk & Compliance and Business Process Improvement practices, we are
undergoing similar initiatives and live projects increasing automation and introducing analytics into the KYC
and transaction monitoring functions and to automate longer financial transactions.

2.4 Project management

Please provide an overview of your project management organisation and how you access this to support client
projects. Also, please include details of your proposed project management approach for this Project, how you expect
this resource would interface with Aberdeen, and what project reporting and governance structures you would expect
to have in place to ensure the successful delivery of the Project. If possible, please also confirm any key personnel
you would expect to assign to this Project.

1. Project management organisation – Good project management practices are built into each of our practice
personnel. We do not manage this as a separate discipline but we do train a subset of personnel as PMPs,
PRINCE2 and Agile practitioners who focus on large project delivery and/or project management as a
distinct consulting offering. Finally, in our wider practice, we do have specialists in project finance and
regular administrative reviews of project health that add a layer of independent quality assurance on our
client delivery.

2. Our team is outlined on slide 14-17 of the ASI DLP Strategy – Protiviti RFP Response pack.pdf
2.5 Recruitment and staff retention
Please provide details of your recruitment policies and processes, including the levels of vetting you undertake for
permanent and temporary staff. Please also provide some background information on how you look to retain staff, and
how you would incentivise staff on this Project.
1. Recruitment and retention policies and processes – Protiviti thrives on diversity and inclusion and
our recruitment and retention practices reflect this.
 a. We actively recruit graduates across UK universities and have a discrete focus on individuals
with disabilities for which we partner with a specialist organisation called EmployAbility.

b. We have Experienced Hire and Expat community groups which help individuals in these
groups acclimate to life in consulting and in the UK.

c. Our Mobiliti programme is dedicated to matching the desires of our personnel to work in
different offices with the demands of these offices.

d. We have a comprehensive onboarding process for all new hires and tranfers.

e. We have a commitment to mental health formalised with a corporate charter and partnership with
a specialist charity called Mind.

f. We have an active LGBT network called ProPride, which was the headline sponsor of Pride in the
City in 2017. Pride in the City is a business focused intiative to support workplace inclusivity and is a
partnership between Pride in London and OUTstanding and is backed by the Mayor of London,
Sadiq Khan.

g. We have an active Woman’s network called iGroww which is focused not only on the unique needs
of woman in the workplace but all individuals subject to unconscious bias or otherwise in need of
different working conditions.

h. We have a rigorous focus on training across and within disciplines budgeting for £2,500 per
person annually. This includes in person and online training and internal and external expertise.

i. Finally, we have active social and community initiatives targeting sport, wellness, charitable activity
and giving and genuine engagement of people and their strengths. These activities are embedded in
our performance management system which is our formal mechanism for ensuring they are
recognised and addressed.

2. Vetting for permanent and temporary staff – We perform the following:

a. Permanent staff

i. Robust interview and assessment process including executive presentations for

all experienced hires

ii. Eligibility to Work in the U.K

iii. Identity checks

iv. Employment Reference Checks

v. Financial credit checks for most staff

vi. Criminal Record Check

b. Temporary staff

i. Robust interview and assessment process including client interviews where requested

ii. Eligibility to Work in the U.K

iii. Employment Reference Checks

iv. Financial Credit Check

v. International Fraud and Sanctions Check

vi. Criminal Record Check

3. Project-based incentives
a. Project evaluations are linked to competencies for each role and are aligned to learning and
development. They are a core component of our performance management system. Team members
align their annual and career objectives with the project’s objectives and a plan is managed ongoing
through completion of the project. The project evaluation score becomes part of the employee’s
variable compensation that is paid annually.
 4. Supplier Information
Please provide the information requested in the table below regarding your company.
Ref Question
Legal entity name
Legal entity status
Country and date of incorporation
Country of business (if different)
Company address
Please state which regulatory body the company is registered with.
Registration number
Please describe the company's ownership structure including names
of owners, percentage of ownership and any significant changes to
the ownership structure over the past 3 years.
Please describe the company's legal structure and provide a copy of
the company’s legal structure chart (outlining ownership and
relevant subsidiaries/partnerships/joint ventures).
Please confirm if any identified owners with a 10% stake, or their
immediate relatives or close associates, have any political
connections and provide details of same.
Please describe the company’s internal organisation structure and
provide a copy of your organisation chart.
How many employees does the company currently have?
What is the current staff turnover rate?
Please confirm if the company has adequate coverage with respect to
regulatory capital and insurance (PI, Directors and Officers, Public
Liability) to fulfil its commitment and provide details of same.
Please provide a copy of your company's latest audited accounts (last
3 years).
Where applicable, please confirm that the company has the
appropriate authority, permissions and licences to provide the in
scope services for all relevant jurisdictions and identify what they are.
Response
Protiviti Limited
Private limited company
July 10, 2002
United Kingdom
Washington House, International Square, Starley Way,
Birmingham, B37 7GN
Companies House
Company Number: 04482240
Protiviti Limited (UK) is held by Protiviti Incorporated which
is a wholly owned subsidiary of Robert Half International,
Incorporated.
Protiviti Limited (UK) is held by Protiviti Incorporated which
is a wholly owned subsidiary of Robert Half International,
Incorporated.
Our Directors are Michael C. Buckley and M. Keith
Waddell. Neither have a stake of 10%. Neither: are
currently or previously government officials, have a
relationship with a government official, No government
officials are entitled to any compensation from within our
group.
Joe Tarantino is our President and CEO. His Executive
Team comprises eight Executive Vice Presidents: Cory
Gunderson (Global Solutions), James Pajakowski (Global
Strategy, QRM and Legal Matters), Scott Redfearn (Global
Human Resources), Brian Christensen (Global Internal Audit
Leader), Patrick Scott (Global Industry Programs and
Account Management Program), Andrew Clinton
(International Operations), Susan Haseley (Diversity and
Inclusion), Barbara Rothenstein (Global Finance and
Operations)
https://www.protiviti.com/UK-en/ExecutiveLeadership
As of January 2018, including our network of member firms
we have approximately 5,000 professionals serving our
clients.
Since Protiviti Limited is part of a publically listed
organisation (Robert Half International Inc.) and we cannot
share this confidential information.
Protiviti Limited’s Public and Product's Liability Insurance
Carrier is Chubb Insurance Company of Europe SE. Public
and Product's Liability Insurance Policy # 35796687. Public
and Product's Liability Insurance Expiration Date is May 31,
2018 (updated policy date pending). Public and Product's
Liability Insurance Limit is $5,000,000.
All annual reports and publicly released financial information
is available for review on:
https://www.roberthalf.com/investor-center/2017-annual-
report
Protiviti Limited is a private limited company registered to
operate in the UK where the services will be provided.
 5. Key Contractual Terms
Please confirm your agreement to the terms set out below which will be incorporated in any contract between our
organisations in relation to this Project.

Key Term Vendor If N

agreement vendor comments
Y/N
Term and termination – Aberdeen has the right to terminate without cause on Y N/A
30 days’ notice.

Supervision/Instructions/Audit – Aberdeen has the right to supervise your Y Agree in principle, subject to reasonable
activities which may include gaining access to your data, personnel and notice, audits being in normal business
premises. hours and adherence to confidentiality
provisions.

Sub-contracting and assignment of rights and powers - Aberdeen has the Y N/A
right to undertake additional due diligence on third parties used by you in the
provision of the products or services and the right to require, where
considered necessary, that Aberdeen’s prior written consent is obtained
before you engage any other third party to provide part of the services.
Subcontractors (including cloud hosts) who are to be processing personal
data of certain [non-UK based] companies in the Group will be required to
enter into Data Processing Addendums direct with such companies. Such
Addendums shall include EU model clauses where data is being processed
outwith the EU. No assignment is permitted without Aberdeen’s prior written
consent.

Policies – you confirm that you will adhere to all Aberdeen’s applicable Y Agree in principal, but we would need to see
policies, including the Supplier Code of Conduct attached as Appendix 5. the policies that are applicable before
contractually committing to adhering to
them.

Business Continuity – you warrant that you have appropriate business Y N/A
continuity and disaster recovery plans and arrangements in place to ensure
continuity of service and that you will implement such plans to ensure
continuity of service.

Confidentiality – you will keep all information regarding Aberdeen and the Y N/A
provision of the services confidential and secure.

Warranties – you will provide suitable warranties including warranties that:
You have the capacity to provide the services effectively
You will perform the services in accordance with best industry practice using
appropriately qualified, trained and experienced resources
You have all rights, permission and licences necessary to provide the
products and/or services and to enter into the contract
You shall comply with all applicable laws and regulations
Software Warranties – you warrant that the software will not infringe any 3rd
party IPRs, will be virus free, and will operate in accordance with its
specification.
Y We agree in principle with having
appropriate warranties to warrant that we
will perform the services with all reasonable
skill and care and in accordance with
generally recognised commercial practices
and standard of care for similar
services. “Best industry practice” is not
appropriate because our clients are often
not looking for or wanting to pay for best
industry practices, but services that are
customised and fit for purpose for their
business and particular needs. I think we
are aligned in intent here, but we will need
to discuss the warranty wording to take into
account these points.

Liabilities and Indemnities –Please note any cap that will apply to your
liability. Aberdeen requires uncapped indemnities for (i) 3rd party claims that
the use of your product and/or services breaches such 3rd party’s IP rights,
(ii) breach of confidentiality and (iii) breach of Data Protection Regulations.
Y Protiviti’s liability to Client is typically capped
in the aggregate at the greater of £300,000
or 1.5 times the total amount of fees paid to
Protiviti under the Agreement. However, we
can discuss and negotiate on this point if
needed.

Conflicts – you must take all reasonable steps to identify, manage and Y N/A
monitor potential conflicts of interest and promptly disclose any
such conflicts.

Applicable law – contract will be subject to the laws of England and Wales or Y N/A
Scotland.

Data – you will, on termination, return, destroy or transfer to Aberdeen or a
successor provider (within 15 days or such other appropriate time period
agreed with Aberdeen) all Aberdeen data.
Y We can agree to do this upon request with
some conditions which are that we are
allowed to retain a copy of information if
required for legal/regulatory reasons and a
copy of electronic information stored in
 back-up/archival storage in accordance with
policy that cannot reasonably be destroyed.

IPR Ownership – Aberdeen will own all IP rights in deliverables.
Y This is fine, with the caveat that whilst
Aberdeen shall own the copyright in the
Deliverables, this will exclude any Protiviti
Proprietary Materials and any third-party
software that is incorporated into the
Deliverables. Protiviti retains all right, title,
and interest in the Protiviti Proprietary
Materials… for which Protiviti will grant
Aberdeen a nonexclusive, nontransferable
license to use the Protiviti Proprietary
Materials solely to the extent necessary to
make use of the Deliverables as
contemplated by our Agreement.

Licence grant – you will grant Aberdeen a licence perpetual, non-exclusive, Y s/a above
worldwide licence for itself and members of the Group to use software or IPR
provided as part of the services.

Third party software – you will be responsible for any third party software Y N/A
provided by you and used in the provision of the services and you will be
responsible for providing all warranties and indemnities in relation
thereto.
Data Protection – all processing and storing of personal data by you or your Y N/A
subcontractors (including cloud hosts) shall be performed in accordance with
relevant laws or regulations of the companies in the Group receiving the
services. In particular all processing or storing of personal data of companies
in the Group based in the EU shall be performed in the EU otherwise you
shall be required to adopt the EU model clauses in the provision of the
services.

Publicity – no publicity without prior written approval of Aberdeen. Y N/A