Three Lines of Defense and Business Continuity February 18, 2016

Mike Richardson, Director of Engineering and Project Delivery Alpa Parikh, Director of Internal Audit

Washington state’s oldest local energy company 1.1 million electric customers and more than 760,000 natural gas customers Over $3 billion in revenue and over 3,000 employees Headquartered in downtown Bellevue

Puget Sound Energy Headquarters

Wild Horse Wind and Solar Facility and Renewable Energy Center

Snoqualmie Falls Hydroelectric Project

Hopkins Ridge Wind Facility

Baker River Hydroelectric Project

9 Three Lines of Defense – A framework to promote clear accountability for risk taking, oversight and independent assurance within PSE 1 st Line – Business Lines Ensures quality products/services and does it right the first time. Delivers on the commitment of trust our customer expects. 2nd Line – Business Continuity, Enterprise Risk Management, etc. Helps the Company understand and fulfill requirements through policies, programs and training, while providing oversight of first-line activities. 3rd Line -- Internal Audit Services Brings independent testing and validations to ensure we’ve met requirements and delivered on commitments. Lines of DefenseRisks 2nd 3rd 1st

10 1 st Line of Defense 1 st Line – Business Lines Ensures quality products/services and does it right the first time. Delivers on the commitment of trust our customer expects. 2nd Line – Business Continuity, Enterprise Risk Management, etc. Helps the Company understand and fulfill requirements through policies, programs and training, while providing oversight of first-line activities. 3rd Line -- Internal Audit Services Brings independent testing and validations to ensure we’ve met requirements and delivered on commitments. Lines of DefenseRisks 2nd 3rd 1st

11 2 nd Line of Defense 1 st Line – Business Lines Ensures quality products/services and does it right the first time. Delivers on the commitment of trust our customer expects. 2nd Line – Business Continuity, Enterprise Risk Management, etc. Helps the Company understand and fulfill requirements through policies, programs and training, while providing oversight of first-line activities. 3rd Line -- Internal Audit Services Brings independent testing and validations to ensure we’ve met requirements and delivered on commitments. Lines of DefenseRisks 2nd 3rd 1st

12 3 rd Line of Defense 1 st Line – Business Lines Ensures quality products/services and does it right the first time. Delivers on the commitment of trust our customer expects. 2nd Line – Business Continuity, Enterprise Risk Management, etc. Helps the Company understand and fulfill requirements through policies, programs and training, while providing oversight of first-line activities. 3rd Line -- Internal Audit Services Brings independent testing and validations to ensure we’ve met requirements and delivered on commitments. Lines of DefenseRisks 2nd 3rd 1st

13 Internal Audit coordinates across the organization to ensure that risks both known and unknown are prepared for Senior Management 1 st Line of Defense Board of Directors 2 nd Line of Defense 3 rd Line of Defense Emerging Trends and Industry Expertise - Participates in forums and industry-specific trainings to independently identify risks to the Company. - Consults with external Subject Matter Experts and engages third-party audit support. Internal Audit and Consultation - Provides assurance to the Board of Directors that internal security risks are being reviewed and addressed. - Provides assurance to management that processes and controls are sufficient to mitigate identified risks. By reporting both to the Board of Directors and Senior Management, Internal Audit is able to coordinate across the organization.

14 NEW! Practice Guide: Internal Audit and the Second Line of Defense

15 Business Continuity Implementation : Third-party firm benchmarked PSE’s Business Continuity Program : Risk mitigation plan developed : Business Continuity partnered with Internal Audit to validate plan aligns with Best Practice. Plan implementation begins : Internal Audit confirms identified risks are mitigated

16 Risk and Program Scope Business Continuity Risk A failure to plan, respond to, and recover from human and naturally caused events that disrupt core business functions for an extended period of time. Scope of Business Continuity Program Reduce or eliminate risk through vigilant, continual preparation. Preparation requires a well-designed sustainable framework and methodology to assess risk and develop effective response strategies; tools to streamline processes; a culture of accountability and continuous improvement.

17 Best Practice Mature Program Attributes 1.Corporate sponsorship (Business Continuity Steering Committee) 2.Comprehensive business impact analysis 3.All-hazard plans for business units 4.Periodic exercises and after-action reviews 5.Periodic plan updates (incorporating after-action review findings) 6.Enterprise governance risk compliance tools (Archer eGRC) 7.IT Disaster Recovery (DR) plans and sequencing procedures 8.Facility availability 9.3 rd- party vendor availability 10.Identified risk and gaps have been accepted or plans in place to mitigate 11.Continuous improvement mentality

18 PSE Business Continuity Program Attributes 1.Corporate sponsorship (Business Continuity Steering Committee) 2.Comprehensive business impact analysis 3.All-hazard plans for business units 4.Periodic exercises and after-action reviews 5.Periodic plan updates (incorporating after-action review findings) 6.Enterprise governance risk compliance tools (Archer eGRC) 7.IT Disaster Recovery (DR) plans and sequencing procedures 8.Facility availability 9.3 rd- party vendor availability 10.Identified risk and gaps have been accepted or plans in place to mitigate 11.Continuous improvement mentality

Three Lines of Defense and Business Continuity February 18, 2016