Internal

1. ADDRESSING BUSINESS RISKS AND OPPORTUNITIES

NS management (CEO, COO, Head of ITSS, Head of CM&A) must periodically (no less than semi-
annually) assess the risk to organizational operations (including mission, functions, image, or
reputation), organizational assets and individuals, resulting from the utilization and operation of
organizational information systems and the associated processing, storage, or transmission of
organizational internal and external information (jointly “Risk Report”). It is the responsibility of the
CEO to organize the collecting, analysis and reporting of risk data points for the semi-annual Risk
Report.

Within the scope of the NS Continuous Improvement Process Policy (see NS-QMS-GL-CI 1.0 for detail),
NS management will conclude each semi-annual risk reporting conclusion with actionable direction in
terms of 1) risk mitigation and/or elimination strategies and 2) opportunities identification for NS
and/or NS clients.