David Nickles CISM CGEIT CRISC CDPSE

• Provided customers and internal AWS customer-facing roles with the mechanisms, content, and support needed to begin moving their workloads to the cloud by removing risk, security, and compliance blockers. • Completed over 120 customer due diligence questionnaires containing over 50,000 questions over 1500 hours focused on control domains like risk management, governance & oversight, personnel management & security, user device management, identity & access management, development & configuration management, data security & privacy, logging & monitoring, network management, physical security, vulnerability management, incident management, and business continuity & contingency planning which led to more financial services customer workloads migrating to AWS, at a higher velocity. • Developed and delivered a due diligence questionnaire training program for our Security & Compliance team of approximately 45 global members to scale the audit team capacity and educate new team members on AWS standard responses. • Led over 20 audit symposiums and direct audits to ensure financial services customers of AWS understand the security controls that AWS owns and performs on infrastructure resulting in no notable findings. • Led the development of User Device Management Controls training module as part of the broader Cloud Audit Academy which delivers AWS customers with training/guidance on implementing effective controls when operating in the cloud.

• Corporate Relations Committee Chair for 2020-2021 Board term. • Built a pipeline of key executives and identified presentation opportunities which showcase key executives and deliver valuable programming to our approximately 4,000 chapter members. • Led three Fireside discussions in 2020-2021 with attendance of over 200 people and event satisfaction scores averaging 4.5/5. Resources with information about ISACA New York Metropolitan Chapter: https://engage.isaca.org/newyorkmetropolitanchapter/home https://www.linkedin.com/groups/78520/

• Partnered with Asset Management business and technology partners, peer IT Risk Managers for other divisions, and the corporate risk function to identify key risks, define remediation plans, and implement the defined remediation timely to limit exposure and stay within defined risk thresholds from the agreed risk appetite statement. • Led the significant improvement of business and IT risk dashboards for Asset Management to be within acceptable tolerance within 1 year as demonstrated in key metrics for the Corporate & Board Level Risk Committees.

• Authored and drove the implementation of ORM and ERM Policy components. • Implemented & promoted the use of IBM OpenPages as our GRC platform to capture & effectively report operational risk data to various groups & levels within the organization including the Audit Committee as well as Board of Directors. • Harmonized and aligned the various second line of defense functions (i.e. Ops Risk, ERM, Compliance, SOX, Information Governance, Information Security, etc.) and third line, i.e. Internal Audit. • Demonstrated the value proposition for business teams when focused on risk identification and management. • Implemented common risk taxonomy, business hierarchy, and reporting standards which resulted in high quality Board & Audit Committee reporting showing consistency in risk management activity across the enterprise, which provided a better understanding of top risks, approach to implement controls, and the resulting impact was reduced exposure. • Recipient of the 2015 CFO Recognition Award for leading global team initiative to enhance the efficiency and effectiveness the Company's processes and controls as it relates to the delivery of our services and products for clients.

• Built a framework and formal program for both Operational & IT Risk which harmonized processes across three distinct entities in the bank that were operating differently. • Results were BNP Paribas was able to comply with section 165 of the Dodd-Frank Act (DFA), requirement to establish an Intermediate Holding Company (IHC) over its US subsidiaries.

• Implemented an IT Self-Identification Reporting Program for the GECC enterprise, 12 business units that delivered a procedure, process and multiple GRC tool trainings that enabled IT organization resources to raise, draft risk response plans and actively manage issues until all gaps are closed which reduced the overall risk exposure to the enterprise. • Launched Internal Loss Data (ILD) program for the IT function as part of the Enterprise & Ops Risk Program requirements. • Acted as Co-Assignment Leader (AL) & mentor for Information Technology Leadership Program (ITLP) Interns and FTEs.

• Implemented MetricStream as the Governance, Risk and Compliance (GRC) solution for risk management data and business unit as well as executive level reporting. • Provided ongoing training, reference materials and support to all 12 GECC business units on performing Enterprise & Operational Risk Management responsibilities per Operational Risk Management Policy.

• Led the requirements development, implementation and testing for IBM OpenPages Governance, Risk and Compliance (GRC) System across the enterprise.

• Developed metrics and reporting which display the completion of 25 quality initiatives and their ongoing monitoring to portray the value added, cost savings and efficiency in ensuring these initiatives are put into play. • Reduced the overall time to detect operational incidents by 50% from their occurrence date through detective controls reviews and updates as warranted.

• Built all components of the risk program and risk committee for FPCMS and FMR Co.

• Met client productivity targets and performed billing analysis. • Led effective resource management and focused on developing team. • Developed interviewing strategy program for the group to attract new talent. • Led new implementations (requirements development through ongoing oversight). • Served as relationship manager to the SAS70 auditor and managed final report with zero exceptions noted.

• Coordinated with the systems development team to resolve non-compliance with agreed upon client requirements identified via test planning & execution, and upon systems fixes, re-testing was performed to validate for client pension & health plan implementations. • Led offshore training for India associates for various ongoing pension and health plan administrative processes.