Enterprise Compliance Program Framework

Legal Department

Building an Enterprise Compliance Program (ECP)

start

Why Implement an Enterprise Compliance Program

Moog Culture & Values

Stakeholder Expectations

US DOJ Obligations

Enterprise Success

Enterprise Risk Management

Costs associated with compliance missteps

within last 5 years

• FCPA Violation - $1.1M +
• IP Lawsuits -
• Trade self disclosures -
• US injury claims related losses - $40M
• QA Non-Conformances -
• Employement law claims -
• Chemical / Environmental -

'Even minor missteps can damage our reputation.' - Pat Roche, CEO, September 2025

Enterprise Compliance Program

Purpose

• Empower Moog leaders to recognize and prevent even minor missteps in compliance with external and internal obligations.

• Program will identify risks and necessary controls to mature Moog's regulatory and compliance performance in alignment with Moog's business objectives.

Customer Focus | People, Planet, Community | Financial Strength

Enterprise Compliance Program Strategic Objectives

ECP - Core Program Elements

Compliance Governance

Risk Assement Program

Third Party Risk Management Program

Incident Management Program

Learning and Educational Program

Culture Maturity Program

ECP Road Map - FY26

Compliance Risk Assessment

Q1/Q2

Q3

Q4

Structure, RACI and Surveys

Data Assessment and Rollover

Phase 2 plan development

Third Party Risk Assessment

Q1/Q2

Q3

Q4

Methodology and Software

Data Assessment

Phase 2 plan development

ECP Road Map - FY26, Con't

Compliance Governance

Q1/Q2

Q3

Q4

Minimum Needs Mapping Organizational planning

OCM Campaign on ECP Steer Co Kick Off

Develop ECP Steer Co and OCM plan for ECP awareness

Incident Management

Q1/Q2

Q3

Q4

Definitions and Reporting phase implementation within Legal Team

Reporting within legal continues

Needs assessment for maturing program based on trends

ECP Road Map - FY26, Con't

Compliance Culture

Q1/Q2

Q3

Q4

OCM 101 for Legal Dept.

Determine priorities based on past year of projects

Build out ECP Maturity Model

Learning and Education

Q1/Q2

Q3

Q4

Not started

Define ECP expectations and measures for affected personnel Know-How

Determine resource gaps to meeting ECP requirements across Risk Owners

Enterprise Compliance Program

Organization Mission

In alignment with Moog's Business Code of Conduct, Values and Culture, we exist to implement programs and business systems that ensure the organization:

• Recognizes, comprehends and reliably mitigates compliance and regulatory risks
• Implements governance to ensure Moog has a minimum set of requirements all compliance programs shall meet.
• Incorporates regulatory and compliance risks into its business plans
• Measures and reports on Enterprise compliance performance
• Matures Enterprise compliance and risk mitigation culture.

Compliance Staff Roles & Responsibilities

Ethics, Compliance and Transactions Associate General Counsel

Chief Compliance Officer (CCO), FY26, Q2

Compliance Director, FY27 Q3

Sr. EC Program Manager, FY27

Risk Assessment Program Manager, FY26 Q4

EC Program Manager, FTT FY26, Q2

IG Compliance Team

Information Governance Manager

Organizational Chanage Manager

Governance is the enterprise standards that govern compliance program structure, roles, required documentation, record retention and decision-making processes to ensure the company is directed, controlled, and accountable to its stakeholders. ECP governance purpose will ensure enterprise compliance standards are published with clear, concise roles & responsibilities in partership with stakeholders. Governance will ensure the Enterprise has oversight and processes to sustain execution and strategically plan in compliance matters. Key Initiatives:

• Global Compliance Committee comprised of functional "Risk Owners" who will be expected to help shape the Enterprise Compliance Program and subsequently align their programs underneath.
• Information Governance Committe comprised of key stakeholders who will be chartered to implement a central system for governing all enterprise level compliance and legal documentation/ records.

enially templates, you can include visual re

Compliance Risk Assessment program identifies external and internal regulatory compliance topics that a business is subject to and measures the risk of non-compliance to the business. Tailored to assess current and emerging regulations, internal conformance to policies/processes and document controls that are in place or needed to mitigate risk. Standardization of the assessment terminology and rankings is necessary for Enterprise oversight. Key Initiatives:

• Define Risk levels and associated scoring process
• Identify Business Material Risk categories and legal obligations within per SME
• Implement Phase 1 Enterprise Risk Assessment
• Roll results into new Enterprise Risk Assessment software for phase 2 -action plan development

enially templates, you can include visual re

Third Party Risk needs to be managed across the Enterprise. Management of third parties entails:Pre-partnership onboarding processes such as:

• Identification and classification of third parties Moog pays or recives payment from.
• Screening and assessing of business and compliance risks.

Post-onboarding:

• Continous business and compliance risk assessments
• Linking business controls that are necessary to mitigate third party risks
• Escalating third party risks for futher investigation/ remediation
• Measuring, monitoring and reporting on KPIs to manage third party risk
• Gifts and Entertainment tracking and approval process

Key Initiatives:

• Implement enterprise software program for onboarding and continuously performing TPR assessments.
• ERP and Supply Chain - TPR control identification and improvement plan
• Assessment and improvement of Moog Third Party related policies and procedures

"Incident" Management is a wholistic reporting, investigation, corrective and preventative action program. "Incident" is defined to include at risk behaviors, human and organizational near misses associated with compliance and events that occur which are non-conforming to external or internal requirements. This program will manage events from the time of report until lessons learned have been cacaded and associated action plans have been documented and driven to completion. Key Initiatives:

• Legal Department Incident Management Program
• Enterprise Compliance Incident Management Program Standard

enially templates, you can include visual re

Competence is King. Effective, blended, job specific training and on-demand access to educational resources is essential to build adult learner competency. Compliance trainings and associated resources need to be effective, relevant and timely. Subject Matter Compliance experts have a role and responsibility to ensure their training and communications are effective and promptly change managed. Affected personnel attestions are ineffective at building behaviorial committment to high-integrity work standards in the face of competing priorities. Key Initiatives:

• Compliance program job applicable mapping to employee learning profiles in L@M
• Micro-learning resources to enhance compliance competence.

enially templates, you can include visual re

Culture - the Patterns of behavior, motivated or demotivated, by people, processes or systems. Cultures can be shaped and maturity models are effective tools for this. Behaviorial maturity models offer more clarity, removes subjectivity to drive stronger alignment and committment to a cultural improvement effort. Key Initiatives:

• Define the compliance behaviors the enterprise will see across 4 stages of maturity (standardize using EHS Maturity Model template)
• Increase Legal Department awareness and basic behaviorial principles associated with changing legal and compliance behaviors across Moog.
• Build OCM playbook for Legal Compliance teams who need others to implement and sustain compliance with ECP.

enially templates, you can include visual re

Compile Risk Assessment Results and shift to new platform

Risk results will be assessed, validated and rolled into new GRC softwareNeed IT support for software setup and data migration Need admin support for data compliation and visuals

Set definitions, scope and methodology, then deploy

An initial risk tool will be deployed to phase 1 stakeholders for risk data collectionNeeded support from OCM staff and OG General Counsel Need buy-in from MET Need IT temp support

Phase 1 Risk Mitigation Action Plans and Phase 2 Risk Assesment Plan

Need Compliance Point person per OGNeed Compliance Steer Co Need Risk Assessment Program Manager

Analyze Assessment Results and shift to new platform

Risk results will be assessed, validated and interim stop gap measures deployed to repeat violation risksNeed IT support for software setup and data migration Need admin support for data compliation and visuals

Phase 1 Risk Mitigation Action Plans and Phase 2 Risk Assesment Plan

Need Third Party Point person per OGNeed _____

Set definitions, scope and methodology, then deploy

An initial risk tool will be deployed to phase 1 stakeholders for risk data collectionNeeded support from OCM staff and OG General Counsel Need buy-in from MET Need IT temp support

Enterprise Compliance Programs Shall Have:

• Annual compliance risk assessment program that measures and reports out compliance risks and improvement recommendations.
• Compliance policies, procedures that relate to their role & responsibilities is easy find, searchable for affected workers to learn more.
• Policy and procedure use and affected persons competence measures.
• Third parties screening prior to onboarding and continuously monitored for compliance risk and adverse media, sanctions and politically exposed persons and there are process controls in place to mitigate risks.
• Compliance concerns, near misses and incidents are reported and investigated to identify human and organizational root causes and processes to prevent reoccurrence.