Global Risk Advisory PCoE | Connected thinking The right formula for a real partnership Simplification and system rationalisation to deliver and support continued growth across the Group, and ensuring that the organisation remains compliant and competitive in an increasingly complex industry.            Malcolm Drysdale Global Roche Lead Client Services Partner Roche has been, and will always be, considered one of Deloitte's most important clients, not only in Switzerland, but across our global network. As your Lead Client Services Partner, I personally assure you that our entire leadership team and global network stand behind Reto, Amit and the team to support in the delivery of this program and all the commitments made within this response. In Reto, Amit and their team, you have a comprehensive global network of experts with an unrelenting passion for quality and innovation and with deep expertise of delivering similar projects across the life sciences and healthcare industries. Marcy Imada US Roche Lead Risk Advisory Business Partner Deloitte’s strong commitment to a trusted advisor relationship with Roche (including Genentech in the US) has been a constant over more than 15 years of service delivery and collaborative teaming together. Our global Deloitte team would be greatly privileged to serve Roche on the IAM Design and Implementation initiative. You have our promise to mobilize a team that is laser focused on driving value to Roche through innovative strategy and experienced delivery. We recognize the great importance of this initiative to Roche and welcome the opportunity to demonstrate our deep commitment to and investment in Roche’s success.  rmula for a real partnership 02 01 M design and implementation     03 | The journey ahead We have optimized the planned phases / projects to gain efficiencies, reduce cost and most importantly minimize risk and business impact. We believe that this updated approach provides the best user experience to the users while abstracting them from the technical complexities of implementation. The biggest impact to the timelines is the adoption an application centric approach where each application is impacted once for integration with all applicable IAM capabilities – provisioning, certification, SSO and PAM.     Phases ives ies Phase 1: Build Identity Foundation & migrate core applications Establish the foundational framework for identity governance around core capabilities, set-up a single interface for all access request and integrate core applications (50) across all capabilities • Review Architecture and infrastructure • Establish Identity Governance foundational framework – SSO, PAM, IGA, IAM etc. • Define Reporting and Analytics framework • Design and develop factory framework for application on-boarding • On-board core applications for access request, access review, access management and privilege account management • Develop the centralized access request interface to raise all in-scope access request from the new IAM system • Build the integrations with the legacy systems Phase 2A and 2B – Enhance Capabilities and Coverage Phase 2A is a dedicated phase for directory consolidation and for continued application on- boarding. Phase 2B enhances the IAM capability further to manage contractors, ExBPs and on-board remaining SIMS and Enroll applications • Consolidate directories and enhance repository management capabilities • Migrate DirMaster capabilities into IAM • On-board applications into SailPoint, CyberArk and Ping • Establish contractor and ExBP management framework • Factory migration of SIMS and Enroll applications • Develop capability for risk-based review • Enhance PAM capabilities for managing infrastructure admin account Phase 3 – Continued Maturity Enhancing IAM capabilities to mature the IAM solution and begin the journey towards role-based access control, cross application SoD and protecting unstructured data • Develop Generic account management capabilities • Develop Role lifecycle framework • Develop SoD discovery, configuration and remedy violation capabilities • Replace ADRS and AD2DB Replacement • Assess current unstructured data governance capabilities and provide recommendation on the go to strategy • Operationalize the IAM solution deployed in the previous phases Replace ADRS/AD2DB, Generic accounts    02 Our alternative, agile approach Increased benefits through our focus and experience Roche is transforming. Your commitment to IAM simplification and system rationalisation is central to delivering and supporting continued growth across the Group, and ensuring that the organisation remains compliant and competitive in an increasingly complex industry. We at Deloitte have first-hand experience being in your shoes and understand the importance of being a true partner. In that spirit we have brought our extensive know-how in similar projects together and have identified an alternative, agile approach that we would like to discuss with Roche. Object Activit    The right formula for a real partnership               (ENROLL, SIMS) and SailPoint Password management, Central Authentication, New SailPoint frontend Birthright, IGA Core Apps, IAM reporting RADA migration, Perf and Metrics RUD/GNE-AD/SIMS app migration, App on-boarding, Contractor/Ex-BP management  Our focus Put the user front and center to minimize impact Reduce dependencies and disruption to business by optimizing integration process Accelerate projects that directly impact business users Adopt an agile IAM methodology that provides flexibility to adapt to change Standards based integrations (minimal customization) with a component design for a future-proof solution Leverage previous experience in delivering success for Roche Deloitte’s team consists of an experienced leadership that has been responsible for similar programs and knows Roche in depth. Agile Sustainable Simplified Roche’s benefits Better user experience leveraging a single unified user interface Effective risk mitigation and reduced risk profile Faster time to value Increased agility Reduced cost and complexity (estimated 20% reduction in onsite hours) A sustainable solution A partner with real-world experience that can navigate Roche’s organizational complexity              11223 Nov 2019 Oct 2020 Sep 2020 Apr 2021 Oct 2021          Feb 2020 Feb 2021 Oct 2021 Dec 2021 2123          x Phase x activity Apr 2020 1 Workday, Fieldglass, JML for Employee, SIMS Migration, SIMS External, SailPoint foundation, Entitlement reviews  DirMaster Decommission 02 PAM for Enroll migration, Risk Admins based review, PAM for Infrastructure Decommission Enroll/RUD, SoD, Role, maintenance Unstructured data                                        | Executive summary    Leverage Deloitte’s Madrid based EMEA Security Delivery Center (EDC) for near shore development capabilities An operations partner that is close to Roche’s operations We look forward to flexing our model for maximum impact and reward based upon your needs and dependencies.            03 06          o A