Risk Management

A direct result of the financial crisis over the last 18 months has been the growing focus on improving Enterprise Risk Management (ERM) in global organizations. ERM has become one of the most important tasks of corporate leadership teams. Regulatory agencies, politicians, and stakeholders are actively lobbying board of directors and corporate leaders to formalize their ERM activities and improve the linkage between performance and accountability. There are new SEC disclosure requirements concerning ERM and increased ERM program scrutiny by rating agencies.

It is important, however, to recognize that ERM is not an exercise in risk minimization. “It is perfectly appropriate – indeed essential – to the health of our economy, and to product innovation and enhancement, for some companies to adopt business models and strategies that have greater risks than others. In successful businesses, boards and management work together to define an acceptable level of risk that produces the greatest opportunity for reward.” NACD Risk Governance – Balancing Risk and Reward

There is no one-size-fits-all solution for ERM – each company is unique. Risk management must be built into the rhythm of the business. It must be accomplished in a way that realizes real business value and gives the board the appropriate level of meaningful risk management information. Johnson Controls is in the third year of its corporate-wide ERM program. The program is broad based, multi-faceted and continues to evolve to address this rapidly changing environment. The program is built on a solid foundation of decades of Internal Audit risk monitoring and a series of recommendations in 2007 from the Risk Management XLP Team. The current program includes participation from senior leadership at each of the business units, the key corporate functions of finance, strategy, human resources, legal, and information technology, the Executive Operating Team (EOT) and the Board of Directors.

Corporate Executive Board research has shown, over the past few decades, that strategic risks pose a far greater threat and have had a far larger impact on corporate performance than more traditional audit related risks like: fraud, reporting and compliance. Based on this research and XLP benchmark recommendations, Johnson Controls gave the strategic planning function the role of ERM program administration and coordination. Corporate strategic planning works closely with the strategic planning functions in the business units to direct critical ERM activities. The ERM program is run independently from the Internal Audit function though there is increased communication and information sharing between the groups. Though strategic planning has the lead on ERM, the program has broad participation throughout the leadership ranks, and that

participation has grown each and every year. In addition, regular benchmarking of the Fortune 500 has resulted in program changes and enhancements, most significantly several months ago with the addition of a formal Risk Committee. The Risk Committee was created in January 2010 to address ERM program deficiencies and to provide C-suite leadership on this important topic. The Committee oversees the ERM program and ensures increased accountability and communication with the Board and the applicable Board Committees. The composition, roles and responsibilities, and action plans of Risk Committee will be discussed in further detail below as part of a broad overview of our ERM program.

ERM process steps

Though the ERM process is a never ending year-round activity, a new assessment phase commences every November, coinciding with the start of the strategic planning calendar. The first step in the ERM process is the validation of the total “risk universe”. The risk universe is a collection of risks built on environmental analysis and external benchmarking. The original universe was composed of 83 risks in six focus areas: external, strategic, operational, people, financial, and legal & compliance. Each year the universe is reviewed and amended. In last year’s assessment, we added twenty new risks {103 in total – see appendix (Attachment 1)} to address emerging concerns created by the economic crisis. These additions included risks like: changing consumer needs, OEM restructuring cost share, investment prioritization, SG&A contraction, work-life balance, and growth & innovation funding risk. No new additions to the universe were made in this year’s assessment process.

The second step in the process requires each business unit/corporate to select the 50 risks that are most likely to impact their ability to achieve their strategic objectives. Business unit strategic planners solicit input from their leadership teams to build their unique “top 50” list and the corporate planner does the same with the corporate functional leadership. This step narrows the focus for the mapping exercise to a more manageable group of high impact risks. While there is naturally some risk overlap among the businesses only 20 of the 50 risks were common across all business units and corporate.

The third step in the process is a mapping exercise. The mapping phase uses a Johnson Controls developed, web-hosted tool called the “Solutions Risk Navigator” (Exhibit 1). The tool evaluates each risk in three dimensions and

Exhibit 1 – Solutions Risk Navigator sign-on webpage

maps them on a “Navigator Board”. The first dimension (x axis) is the likelihood that the risk will occur - rated on a (1-5) scale from remote (1) to virtually certain (5). The second dimension (y axis) is the impact on Johnson Controls if the risk actually occurred - rated on a (1-5) scale from minor (1) to catastrophic (5). The final dimension is Johnson Controls’ current effectiveness at addressing that risk - rated on a (1-3) scale from low (1) to high (3) and identified visually with red (low), yellow (medium) and green (high) indicators. The result identifies risks that have the highest likelihood of occurrence, greatest severity on the organization and the lowest current effectiveness – essentially red and yellow circles in the upper right quadrant (Exhibit 2). We created a simple formula that takes the average of the impact and the likelihood and subtracts the effectiveness which allows us to score and rank the risks. Business unit leadership reviews this output in a workshop session and assesses whether the “top 10” by formula is in fact the “top 10” risks facing that business unit. The business unit has the right to modify the tool’s output and report the risks they feel present the largest threat.

Exhibit 2 – Risk Navigator Tool mapping dimensions

Hosting the Risk Navigator on the web has allowed us to continue to expand participation in the ERM program every year as well as eliminate the scheduling and participation challenges of individual workshops. Automotive Experience and Power Solutions for example, expanded their participation from 9 and 12 leaders respectively in 2008 to 51 and 94 leaders in 2010. The annual mapping data are recorded in a database and made available to all risk coordinators (Exhibit 3). This allows for score trending, emerging risk identification and mitigation effectiveness assessment.

Exhibit 3 – Risk Navigator mapping database (partial extract)

2008 2009 2010 2011 2012 2008 2009 2010 2011 2012 2008 2009 2010 2011 2012 2008 2009 2010 2011 2012

Crisis Communication 0.93 2.90 3.33 2.19

Budgeting & Forecasting 0.00 0.89 0.19 2.00 3.14 2.41 3.33 3.64 3.11 2.67 2.50 2.57

Working Capital 0.28 1.34 0.14 2.33 3.36 2.34 3.33 4.23 3.31 2.56 2.45 2.69

Technological Innovation 2.39 1.05 1.40 3.56 3.00 3.36 3.44 3.38 3.31 1.11 2.14 1.93

Market Research 0.75 0.57 2.82 2.76 2.86 2.61 2.09 2.11

Design & Development 1.56 1.05 1.26 3.33 2.95 3.31 3.78 3.23 3.29 2.00 2.05 2.03

M&A Due Diligence 0.89 0.32 0.29 2.89 2.36 2.37 3.56 3.36 3.18 2.33 2.55 2.48

Risk Score Likelihood of Occurrence Impact if it Occurs Effectiveness at Addressing Risk

Operational Risks Operational Risks Operational Risks Operational Risks

A review of this year’s highest effectiveness scores in each of the businesses demonstrates the value of focused corporate-wide initiatives and leadership commitment to those initiatives. Our established programs for ethics, health & safety, and working capital are good examples (Exhibit 4). While high effectiveness scores don’t eliminate the risk they do provide evidence that people are actively engaged in addressing these key issues and in many cases demonstrating success at managing them.

Exhibit 4 – Highest effectiveness scores by business in 2010 risk mapping

Automotive Experience Building Efficiency Power Solutions

Corporate Monitoring (2.77) Ethics (2.78) Tone at the Top (2.75)

Working Capital (2.69) Cash Management (2.76) Environmental (2.67)

Growth & Innovation Funding (2.64) Health & Safety (2.75) Manufacturing Operations (2.59)

Inventory (2.63) Internal Controls/SOX (2.75) Capital Allocation (2.58)

Commodities (2.61) Working Capital (2.71) Capital Availability (2.56)

Ethics (2.61) Tone at the Top (2.67) Quality (2.56)

Budgeting & Forecasting (2.57) Debt (2.63) Service Failure (2.56)

Strategic Alignment (2.52) Labor Relations (2.59) Budgeting & Forecasting (2.53)

Environmental (2.49) Capital Availability (2.57) Debt (2.49)

M&A Due Diligence (2.48) Incapacitated Leadership (2.55) Equity (2.47)

Corporate Monitoring (2.55)

2010 ERM Output

The corporate-wide consolidated list of top risks saw a significant change over last year. Only three risks remained on the top ten list as broader fears of economic collapse subsided. Top risks reflected lingering concerns about the long term prospects of our customers, the threat of new and substitute products, and the pressure on lean organizations in an improving economy. Quality received renewed oversight as several business units identified the need to refocus attention there, particularly in light of the recent hypersensitive “Toyota” experience. Business continuity, the ability to recover and maintain business operations in the event of a disruption due to physical or natural circumstances, also received at lot of attention given our growing share in global markets and significant sole source awards. Senior leadership challenged the businesses to assess not only our internal ability to recover but also our contingency planning around a significant interruption from one of our key suppliers. Other top ten risks migrated once again to competitive threats, technological innovation, design and other growth related concerns.

Top risks identified by each business unit saw significant changes over last year. Automotive Experience had only two top ten risks that survived from 2009. Building Efficiency and Power Solutions both had four risks that carried over. The shift back from a financial crisis focus in 2009 to concerns about growth and a recovering economy in 2010 were clearly evident in each of the businesses.

For all of the businesses, the March strategy meetings were an opportunity for rich discussion on risk awareness and risk sensitivity. Dialog on concentration risk and business continuity risk were particularly enlightening for the businesses. Corporate posed several credible scenarios that could dramatically impact our ability to fulfill sole source commitments. That reality check motivated some of the businesses to explore additional what-if scenarios (natural disasters or key supplier interruptions) and build more robust business interruption plans.

Risk management and mitigation plans

Once the business unit leadership has identified their top risks, they present them to the corporate leadership team during the March strategy meetings. The risks are discussed and the corporate leadership team provides additional perspectives and concerns. The business units begin to develop formal management / mitigation plans for each of the “top 10” risks. These plans assign owners, identify specific actions and track ongoing progress. As identified earlier, some top risks have carried over from the prior year. In those cases the management / mitigation execution continues from the prior year. If new risks are added the active set of plans is expanded. The corporation adopted a new single page risk dashboard to track individual risk management / mitigation progress and a single page business unit risk overview dashboard (Exhibits 5-6). These dashboards will be updated quarterly, reviewed by the Risk Committee. The strategic planning team in each business will ensure that risk management and mitigation plans are incorporated where appropriate in their strategic plan initiatives.

Exhibit 5 – Automotive Experience’s risk mitigation plan dashboard (Quality)

Exhibit 6 – Automotive Experience critical risk overview

Legal & Compliance Risk Management

We learned in last year’s economic crisis environment that high profile “front and center” risks often dominate the risk assessment focus. In 2009, they overshadowed many of 2008’s growth related top risks and the people, legal and compliance areas lost total visibility. To correct the deficiency and provide greater comfort that these risks were effectively monitored, the ERM team created and deployed a “Legal, Compliance and Internal Audit Risk Navigator” tool modeled after the ERM tool already in use. In October 2009, the legal and compliance team surveyed more than 1,000 JCI leaders and asked them to map 50 legal and regulatory risks in their businesses on 3 criteria: (1) the likelihood of each risk occurring within their business (2) its impact on the business if the particular risk were to occur and (3) the perception of the efficacy of JCI's existing processes and controls to guard against these risks. The team had a response rate of approximately 70 %. The raw data from the initial phase of the risk assessment was tabulated and plotted on heat maps. The top 10 risks for Automotive Experience and Power Solutions were recently presented to the Disclosure Committee. Building Efficiency will present in June.

Each of the businesses have been asked to review their top 10 legal and compliance risks and reprioritize if appropriate. The legal and compliance team developed and distributed templates and instructions. Unlike the variability of top ERM risks across business units, the top legal and compliance concerns were more consistent across all groups.

The Council will select the top 3-5 risks that each business unit will address more formally over the next 15 months. Project plans are due in late July 2010 with a full implementation and audit process to be complete by August 2011 (Exhibit 7). Legal and compliance plans to repeat this process every 18-24 months. thereafter.

Exhibit 7 – Legal and Compliance Risk program calendar

The output from Legal & Compliance’s October 2009 mapping exercise was shared with the Internal Audit Team prior to the finalization of their 2010 Audit Plan. The Legal & Compliance risk mitigation plans will be reviewed periodically by the Risk Committee. A similar tool for human resource related risks is in development and should be deployed next year.

Risk Committee

Establishing a risk universe, mapping the risks, identifying the top risks and creating a management / mitigation plan for those risks was sufficient to place Johnson Controls in the second quartile among Fortune 500 companies’ ERM programs. In order to achieve first quartile performance we needed to add a process or processes that allowed for regular risk updates, continuous identification of emerging risks, and a formal process to review and set the appropriate risk appetite in key areas. In addition, it was important to increase

risk communication and reporting among and between company leadership, the Board of Directors and Board Committees (Exhibit 8).

Exhibit 8 – ERM “best-in-class” risk management process steps

Research from the Corporate Executive Board’s – Risk Integration and Strategy Council along with additional benchmarking indicated that the addition of a Corporate Risk Committee within Johnson Controls could address the program deficiencies. In January of 2010, the Johnson Controls Risk Committee was formed with high level leadership participation from corporate and the business units (Exhibit 9). The Executive Director of Corporate Strategy serves as the risk coordinator and committee secretary. He is responsible for coordinating the risk program and its meetings. One Global Leadership Council (GLC) member from each business unit serves as the risk leader for their business. This assignment is a leadership development step for each of these three participants, one that gives each of them greater exposure to risks from across the corporation. The Risk Committee roles and responsibilities are summarized below.

Exhibit 9 – Johnson Controls Risk Committee members

Risk Committee roles and responsibilitiesThe Risk Committee assists the company’s senior leadership and Board of Directors in fulfilling their responsibilities for oversight of the company’s Enterprise Risk Management program. Responsibilities include: Development, deployment and monitoring of an Enterprise Risk Management

process applicable to the company’s operations worldwide Review all information related to various risk identification processes at

corporate and in the business units (ERM, Legal & Compliance, Internal Audit, etc)

Create a calendar and assign responsibility to review key risk areas throughout the year

Discuss the company’s major risk exposures and the steps that have been taken to monitor, and where appropriate, mitigate the risks

Establish the Company’s risk appetite and risk tolerance (volatility) related to specific exposure areas – quantify specific levels where appropriate

Identify emerging risks and threats both discrete and those created by aggregated and cascading risks

Regularly report to senior leadership about committee activities, issues, and related recommendations

Quarterly review the 10K Risk Factors and if necessary coordinate with the Disclosure Committee to report changes or updates in the 10Q

Ensure regular reporting of program status to the Board of Directors to satisfy oversight responsibilities of the Board of Directors and its Committees

Strategic Planning roles and responsibilities

Corporate strategic planning works closely with the strategic planning functions in the business units and with the Risk Committee to coordinate critical ERM activities. The strategy groups risk responsibilities include: Work with business unit to identify appropriate Risk Universe (Top 50 of 103) Deploy (annually) the risk mapping tool to generate the heat maps and top

risks Assign risk oversight, management / mitigation responsibility to key

individuals for the applicable portions of the risk universe Provide annual risk mapping data to key individuals to establish a baseline

and identify risk trends Oversee the generation and monitoring of formal risk management /

mitigation plans for “top 10” risks Ensure risks and risk mitigation are incorporated in strategic planning actions

and initiatives Provide regular risk status reports to the business unit GLC Risk Leader Assist GLC Risk Leader in identifying emerging market and competitive risks

GLC Business Unit Risk Leaders roles and responsibilitiesThe GLC Business Unit Committee member act as the business unit representative to the Risk Committee. They use their senior position within the business unit to collect risk related information and emerging concerns. The GLC risk leaders responsibilities include: Review annual risk mapping output - assess the importance of changing risk

focus and emerging trends Assess "emerging" risks that could impact financial and strategic plan

performance throughout the year Assess current contract commitment and contract liability risk - quantify where

appropriate current exposure Identify emerging global regulatory and legislative actions that could pose

significant risks to their plan Work with strategy leads to assess formal risk assessment and

management / mitigation progress Share emerging risk concerns with strategy leads and BU Leadership –

redirect resources as required Provide overview of risk management issues in your business at quarterly

Risk Committee Meetings

Risk Appetite

One of the most important tasks of the Risk Committee is the subject of risk appetite. Risk appetite is the amount of risk an entity is willing to accept in pursuit of value. Entities often consider risk appetite qualitatively, with such categories as high, moderate or low, or they may take a quantitative approach, reflecting and balancing goals for growth, return and risk. Risk appetite is directly related to an entity’s strategy. It is considered in strategy setting, where the desired return from a strategy should be aligned with the entity’s risk appetite.

Different strategies will expose the entity to different risks. Enterprise risk management, applied in strategy setting, helps management select a strategy consistent with the entity’s risk appetite.

The approach to setting a risk appetite will largely depend on the type of risk. Easily quantifiable risks (e.g. market, financial, credit risk) naturally lend themselves for clear-cut risk thresholds that are relatively well defined. However, for less quantifiable risks the process of setting an appetite typically involved extensive discussions among senior management. A common mistake is to apply quantifiable metrics to setting risk appetites for risks involving a higher degree of subjectivity (e.g. regulatory risk, reputation risk). The end result should be a statement around the “amount” or “degree” of risk to be taken and how the company plans to track the risk – rather than a specific dollar amount.

With that philosophy as a guide, the Risk Committee drafted a collection of Risk Appetite Statements, thirty in all in ten criteria areas. The statements incorporated qualitative and quantitative descriptions of risk appetite with a conscious effort to incorporate the key elements of the Ten Year Marker and this year’s corporate-wide top risks.

Risk topics and the calendar

Another key activity of the Risk Committee is to periodically review key risk areas to better understand the size and nature of the risks we are exposed to. This would include areas like Enterprise Security, Information Technology and Treasury including all its related activities: cash management, debt, hedging, liquidity, insurance, etc. The Committee recently reviewed the Treasury functions including an overview of policies, procedures and directives. The review confirmed a robust oversight regime and risk exposures that were well within our tolerance.

The Committee identified a list of areas they wanted to cover throughout the year and created a calendar to review those topics. Each topic has a Risk Committee sponsor and outside presenters will be invited to review topic material (Exhibit 10). The committee meets as frequently as necessary to address the risk environment but at least quarterly.

Exhibit 10 – Risk Committee annual calendar (representative example)

FEB MAY AUG NOV FEB MAY AUG NOV

Risk Factor Review 10K/10Q X Chief Financial OfficerTreasury X

Automotive Experience GLC Representative (Insurance, Hedging, Liquidity, Etc)Pricing Risk (Commodity Recovery) X Tax XSupply Chain / Business Continuity Risk X Information Technology X

Contract Risk (Liquidated Damages) XBuilding Efficiency GLC Respresentative JV Exposure Risk (China Etc) X

Contract Risk (GWS, PC, Life Safety) XAssociate General Cousel

Power Solutions GLC Respresentative Enterprise Security / Crisis Management XSupply Chain / Business Continuity Risk X Regulatory & Legislative Risks (NAM) X

Environmental Risk (Asbestos Etc) XChief Executive Officer

Board Concerns X X X X Exec Dir Strategic PlanningEnterprise Risk Identification & Mapping X

Exec VP Human Resources New / High Risk Emerging Markets XLeadership Incapacitation - Aircraft Policy XRegulatory and Government Affairs X

Risk universe network

Emerging risk identification and monitoring risk management / mitigation are two other key roles of the Risk Committee. With such a large risk universe, the Committee felt it was appropriate to create a distributed pyramid structure throughout the corporation to effectively monitor all of our risks by assigning a business unit leader a manageable number of risks that correspond to their area of responsibility. The current risk universe (103 risks) is being monitored by a select group of leaders (8-10) in each of the businesses and at corporate (Exhibit 11). This group or network of leaders serves two main purposes: first as an earlier warning team to identify emerging risks throughout the year and second, as the primary person responsible to oversee the risk management / mitigation effort if one of their risks is identified as a top risk in the annual risk mapping exercise. This group is provided prior risk mapping data and scores to identify trends and areas of emerging concern (previous shown Exhibit 3).

Exhibit 11 – Power Solutions risk universe owners (partial extract)

External Risks – Outside forces that can potentially affect the ability of the organization toachieve its business obJEctives and strategies. Risk Owner

1Competition Risk - Actions of competitors or entrants to the market affect JCI`s competitive advantageand/or ability to survive.

Kim Metcalf Kupres

2Economic Factors Risk - Inability to react to fluctuations in the economy that increase or decreasedemand (e.g., substitution, complementary) for the organization’s products and services.

Kim Metcalf Kupres

3

Changing Consumer Needs Risk - Inability to cater to changes in consumers' demand that increase ordecrease production volume; forces them to switch suppliers e.g. bigger vehicles (more rows of seats)to smaller ones (less rows of seats); luxury (leather) vs economical (fabric) ones; corporate directionand/or policies ie cost-reduction, etc

Kim Metcalf Kupres

4

Financial Markets Risk - General movements in capital market prices that affect the value of theorganization’s financial assets including credit spreads and underlying stock valuation, which in turnaffect stakeholders’ confidence in the organization and its ability to raise capital (debt and equity).

CORPORATE

5

Legal Risk - Inability of the organization to comply with current, changing, or new laws threatens theorganization’s capacity to consummate important transactions, enforce contractual agreements, orimplement specific strategies and activities. (ie Inability to comply with 90 day employment and laborlegislation of the new administration).

Jackie Ertl

6Regulatory Risk - Inability of the organization to comply with current, changing or new regulationsimpacts the organization’s competitive advantage and its ability to effectively conduct business andachieve its obJEctives.

TL

7Terrorism Risk - Failure to protect the organization from attacks, both domestic and international, thatcan disrupt day-to-day operations, preventing it from providing essential products and services to itscustomers.

CORPORATE

8Activist Shareholder Risk - Failure to protect the corporation from a large shareholder buy-out whichcould result in controversial new management strategies

CORPORATE

9

Sovereign/Political Risk - The occurrence of political actions (e.g., confiscation, expropriation,nationalization, deprivation; forced divestiture or forced abandonment; civil unrest; currency controls;import/export license cancellation; embargo; contract frustration) in a country where the organizationhas invested human and capital resources and where the impact can threaten the organization’s futurecash flows and profit targets.

CORPORATE

10

Natural Hazard/Catastrophe Risk - Inability to plan for and recover from a major disaster (e.g.,hurricane, earthquake, typhoon, epidemic) interrupts the day-to-day operations of the organization,preventing it from providing essential products and services to its customers and recovering itsoperating expenses.

Jorge Guillen

11Weather Risk - Ability to plan for and recover from extreme seasonal weather fluctuations that impactoperations and financials.

Jorge Guillen

12External Relations Risk - Failure to develop external relations practice/communications (eg partnerrelations, community relations, media relations, etc) which is important especially in difficult times.

Rebecca Fitzgerald

13OEM Restructuring Cost Share Risk - Potential for mandated/legislated "share the pain" provisions forsuppliers to particpate in OEM mandated restructuring.

Ray Shemanski

14 Widespread Diseases - The risk of diseases and pandemics to adversely impact the workforce andsupply chain

Jorge Guillen

The network of risk owners in each business will communicate regularly with their GLC risk leads and strategic planning team. They will provide a verbal assessment on their portion of the risk universe prior to each Risk Committee meeting. If they own any top risks, they own the mitigation responsibility and they will ensure that the management / mitigation dashboard is updated regularly and is readily available to the GLC risk lead in advance of a Risk Committee meeting.

The intent of the network is not to create a paperwork and reporting exercise but rather build a pyramid of distributed scanning / monitoring responsibilities that will create an informal conduit to identify and verbally share emerging risks, concerns and proposed actions. Every Risk Committee meeting will indirectly have input from over forty leaders (Exhibit 12).

Exhibit 12 – Risk universe monitoring network link to the Risk Committee

In early 2010, the top risks identified by the 2009 ERM mapping exercise were compared against the risks statements covered in our 2009 10K report. The process confirmed that the 10K had nearly total coverage of the 2009 top risks. In the future, the Risk Committee will assume the responsibility of reviewing the risk disclosures and updating or amending them as required based on risk process output or Committee discussion.

The SEC has issued a new rule (33-9089) requiring additional disclosure requirements in the annual proxy statement including the Board’s role in managing enterprise-wide risks. The regulation went into effect February 28, 2010 and focuses on disclosure of board measures to manage enterprise-wide risks, including policies related to risk identification, risk appetite, and management of risk/reward tradeoffs throughout the enterprise. The intent of the disclosure is to extend risk management responsibility beyond the C-suite and enhance risk management awareness for all employees. The disclosure: Must explain board leadership structure and the reasons why the company

believes this structure is the most appropriate Must define how the board administers its role in the oversight of risk

management activities and whether and how the board, or board committee, monitors risk – How does the board/committee receive information from management?

Must include information regarding whether the persons who oversee risk management report directly to the board as whole, to a committee, or to one of the other standing committees of the board

Risk oversight is the responsibility of both the management and the Board of Directors. The Risk Committee communicates its activities, recommendations and risk management / mitigation status to the Executive Operating Team and Board of Directors through the publication of meeting minutes and on occasion with formal presentations. The Committee has drafted a Risk Responsibility Matrix to identify the specific people in management to manage the risk and the appropriate Board Committee or the Board itself to provide risk oversight for each individual risk (Exhibit 13).

Exhibit 13 – Risk universe monitoring network link to the Risk Committee

Chief Exe

cutive

Office

r

Chief Finan

cial O

fficer*

Associa

te General Counse

l

Exec V

P Human Reso

urces

Exec D

ir Stra

tegic Planning

AE GLC Represe

ntative

BE GLC Resp

resentati

ve

PS GLC

Resprese

ntative

Full B

oard of D

irecto

rs

Audit Committ

ee

Compensation Committ

ee

Corporat

e Govern

ance

Committee

Finan

ce Committ

ee

External Risks1 Risk 1 X X X X X X

Strategic Risks2 Risk 2 X X X X X3 Risk 3 X X X X X X

Operational Risks4 Risk 4 X X X X X5 Risk 5 X X X X X6 Risk 6 X X X X X7 Risk 7 X X X X8 Risk 8 X X X X

People Risks9 Risk 9 X X X X X

10 Risk 10 X X X X X

Financial Risks

Legal & Compliance Risks

Summary

The Board of Directors and the senior leadership team have embraced the importance of a robust corporate risk management program. The tone at the top has been clearly communicated and the corporation is developing a culture of prudent risk management. The approach we employ is based on a collection of process steps taken from global best in class benchmarks. The creation of additional tools and the formation of a Risk Committee has greatly increased our ability to identify emerging risks, weigh appropriate risk appetite and improve the communication frequency and fidelity between corporate leadership and the

Board of Directors (Exhibit 14). We are committed to continuously improve the tools, capability and breadth of that approach and to proactively identify, address and mitigate the risks that pose the greatest threat to our corporation.

Exhibit 14 – Johnson Controls ERM calendar and touch points

Current J CI Risk Universe

External Risks – Outside forces that can potentially affect the ability of the organization to achieve itsbusiness objectives and strategies.

1 Competition Risk - Actions of competitors or entrants to the market affect JCI`s competitive advantage and/orability to survive.

2 Economic Factors Risk - Inability to react to fluctuations in the economy that increase or decrease demand (e.g.,substitution, complementary) for the organization’s products and services.

3 Changing Consumer Needs Risk - Inability to cater to changes in consumers' demand that increase or decreaseproduction volume; forces them to switch suppliers e.g. bigger vehicles (more rows of seats) to smaller ones (lessrows of seats); luxury (leather) vs economical (fabric) ones; corporate direction and/or policies ie cost-reduction, etc

4 Financial Markets Risk - General movements in capital market prices that affect the value of the organization’sfinancial assets including credit spreads and underlying stock valuation, which in turn affect stakeholders’confidence in the organization and its ability to raise capital (debt and equity).

5 Legal Risk - Inability of the organization to comply with current, changing, or new laws threatens theorganization’s capacity to consummate important transactions, enforce contractual agreements, or implementspecific strategies and activities. (ie Inability to comply with 90 day employment and labor legislation of the newadministration).6 Regulatory Risk - Inability of the organization to comply with current, changing or new regulations impacts theorganization’s competitive advantage and its ability to effectively conduct business and achieve its objectives.

7 Terrorism Risk - Failure to protect the organization from attacks, both domestic and international, that can disruptday-to-day operations, preventing it from providing essential products and services to its customers.

8 Activist Shareholder Risk - Failure to protect the corporation from a large shareholder buy-out which could resultin controversial new management strategies

9 Sovereign/Political Risk - The occurrence of political actions (e.g., confiscation, expropriation, nationalization,deprivation; forced divestiture or forced abandonment; civil unrest; currency controls; import/export licensecancellation; embargo; contract frustration) in a country where the organization has invested human and capitalresources and where the impact can threaten the organization’s future cash flows and profit targets.

10 Natural Hazard/Catastrophe Risk - Inability to plan for and recover from a major disaster (e.g., hurricane,earthquake, typhoon, epidemic) interrupts the day-to-day operations of the organization, preventing it from providingessential products and services to its customers and recovering its operating expenses.

11 Weather Risk - Ability to plan for and recover from extreme seasonal weather fluctuations that impact operationsand financials.

12 External Relations Risk - Failure to develop external relations practice/communications (eg partner relations,community relations, media relations, etc) which is important especially in difficult times.

13 OEM Restructuring Cost Share Risk - Potential for mandated/legislated "share the pain" provisions for suppliersto particpate in OEM mandated restructuring.

14 Widespread Diseases - The risk of diseases and pandemics to adversely impact the workforce and supply chain

Strategic Risks – risk that can potentially affect the ability of the organization to achieve its businessobjectives and strategies.

15 Board Structure Risk - Failure of Board of Directors` to discharge their obligations and duties owed to JCI and itsstakeholders in good faith; and to possess adequate skills/knowledge to interpret and act in accordance to theinformation provided.

16 Tone at the Top Risk - Senior management fails to establish a culture that encourages integrity, ethical values,and competence of JCI`s people through their management philosophy and operating style, assignment of authorityand responsibility, and through their focus on the organization and development of their people.

17 Corporate Monitoring Risk - Failure to periodically assess performance, quality and adherence to the standardsas set forth by JCI.

18 Shareholder Relations - Ability to maintain stakeholder investor confidence in the management & execution ofprojects and its ability to execute its strategies and meet its goals and objectives

19 Organization Structure Risk - Failure to accomplish goals and objectives due to an ineffective, unclearorganization structure.

20 Strategic Planning Risk - Inability to discover, evaluate and select among alternatives to provide direction andallocate resources for effective execution to achieve the strategic objectives of JCI.

21 JV`s/Alliances & Partnerships - Failure to choose the right JV partners that contribute to the growth andprofitability objectives of the organization. Inability to keep stable level of communication and relationship with JVpartners.22 Management of JV’s /Alliances & Partnerships - Unproductive, high-risk or otherwise not closely managedalliance partnerships that can lead to lost time and investment, product and/or service failures.

23 M&A Integration / Divestiture Risk - The failure to effectively execute and integrate a strategic acquisition,merger or divesture intended to achieve business objectives.

24 Prioritization Risk - Failure to set clear priorities in difficult environments - result is "everything is equallyimportant"25 Image and Branding - The risk of an event that could adversely impact the image of the organization or industry.Failure to effectively attract customers and sustain demand for the company’s products or services (e.g., poor brandmanagement).

26 Business Portfolio Risk - Failure to ensure that pertinent information is gathered to enable management ineffectively prioritizing its products/services and optimizing its overall performance.

27 Technology Breakthroughs - The inability to interpret the trend of technology and science and its impact oncompany´s current and future business, this includes anticipating the change and being able to react quickly .Failure to have an organizational structure that has the built-in flexibility to adapt emerging technologies oftomorrow. Do not take advantage of rapidly evolving technologies and science developments

28 Customers` Financial Health / Bankruptcy Risk - Distressed financial health of customers and declines inprimary world economies that could significantly impact the overall business.

29 Emerging Market Risk - Inability to understand emerging market business, cultural and regulatory environments.The lack of organization wide strategies to react to sudden business challenges occurring in operations located in ordoing business with emerging markets.

30 Strategy Alignment Risk - The organization’s inability to properly align its business strategies with statedbusiness objectives.

Operational Risks – The risk of losses resulting from inadequate or failed internal processes people or systems.Note: this definition differs from the Basel II definition in that it excludes external events.

31 Crisis Communications / Management Plan - Failure to put in place crisis communications and/or managementplans; failure to view/review plans; failure to communicate plans; failure to simulate crisis scenarios to test plans, etc

32 Budgeting and Forecasting Risk - Compiling incomplete and/or inaccurate information relating to future financialreporting and planning, resulting in inappropriate financial conclusions and decisions; resulting from rapidlychanging customer forecasts, an inability to find reliable sources or not involving the relevant parties in theforecasting process.33 Working Capital Risk - Failure to reach working capital levels to achieve cash and liquidity strategic goals.

34 Technological Innovation Risk - Inability to implement technological advances in the organization’s businessmodel and strategies in order to remain competitive in the marketplace and to attain superior quality, cost, and timeperformance in its products, services, and processes.

35 Market Research Risk - Failure to conduct market/consumer research or failure to conduct adequate researchbefore development which results in resource waste.

36 Design and Development Risk - Failure to create new products and services to respond to opportunities andrequirements in the marketplace. The inability to keep company`s Design and Development activities up withtechnology or the failure to respond to the market needs ie creating things that the market does not ask for/want

37 M&A Due Diligence Risk - Failure to execute a sound due diligence process that should include multi-disciplinaryand multi-jurisdictional teams. The lack of record-keeping and tracking of significant deal points agreed on M&Arelated contracts.

38 Supply Chain & Logistics Risk - Poorly positioned and/or under-performing suppliers jeopardize theorganization’s ability to effectively and efficiently access inputs into production or distribute products to customers.

39 Manufacturing Operations Risk - Failure to produce a part or product to meet the acceptable quality levels atstandard cost or below to meet the customer's requested shipment date. Includes the inability to coordinate andcontrol shop operations, maintenance, manufacturing engineering, safety, environmental and quality departments toproduce a part or product to customer specifications at or below standard cost.

40 Quality Risk - Failure to provide customer product and service quality to enable long-term customer loyalty.Includes ineffective response to customer needs, queries and concerns regarding JCI's products and/or services.

41 Customer Intimacy - Lack of clear strategies to keep dynamic relationships with customers to provide multiplepoints and frequency of contacts, as well as multiple points of view about the relationship and its benefits to bothparties.42 Marketing & Sales Risk - Inability to market and sell products to key target markets in order to achieve JCI'sstrategic and financial goals.

43 Pricing Risk - Incorrect pricing strategies that will result in loss of new business or financial loss of currentbusiness. Failure to price company’s products at market levels.

44 SG&A Contraction Risk - Risk of cutting and maintaining SG&A spending at levels that are too low to sustain thebusiness

45 Service Failure - Failure to provide customer service to enable long-term customer loyalty. Includes ineffectiveresponse to customer needs, questions and concerns about JCI's products and/or services.

46 Business Continuity - Failure to undertake the appropriate advance planning related to critical processes toensure the ability to recover and maintain business operations in the event of a disruption due to physical or naturalcircumstances.

47 Real Estate Risk - Failure to provide physical protection and stewardship over real estate designed to optimizelongevity and utilization. Includes the failure to capitalize on growth opportunities, rationalize the real estate base,expand real estate portfolio, or initiate a change in strategic or operational direction.

48 Strike and Workforce Disruption Risk - Failure to manage the risk associated with potential labor actionsagainst manufacturing operations.

49 Plant & Equipment Risk - Failure to provide physical protection and stewardship over long-life assets (such asbuildings, furniture, fixtures, machinery, equipment and other assets) designed to optimize longevity and utilization.

50 Inventory Risk - Failure to provide physical protection and stewardship over inventories designed to optimizeutilization while minimizing obsolescence, contamination, etc.

51 IT Security & Access Risk - Information systems that do not adequately protect internal and external access tothe data they provide from theft, viruses, sabotage or improper use.

52 IT Availability & Continuity Risk - Information systems critical to business performance are not consistentlyavailable or able to be quickly restored following a man-made or natural disaster.

53 IT Integrity Risk - Information systems that do not protect the reliability and accuracy of the information theymanage. The information cannot be trusted for decisions or could lead to incorrect decisions.

54 IT Systems & Integration Risk - Information systems do not capture and share data consistently betweensystems in a reliable environment at a reasonable cost.

55 Health and Safety Risk - Failure to provide a safe working environment exposes the organization tocompensation liabilities, loss of business reputation, and other costs.

56 Environmental Risk - Activities harmful to the environment expose the organization to liabilities for bodily harm,property damage, cost of remediation, punitive damages and indirect costs, and fines, penalties and governmentaction.57 Incapacitated Leadership - Events that can affect Senior Management's ability to execute their roles andresponsibilities

58 Distressed Suppliers Risk - Impact of supplier financial distress and bankruptcy on JCI liquidity and our ability tomeet supply commitments.

People Risk – Risks that employees are not properly guided, do not have a clear understanding of themessage, do not understand the limits of their authority and do not have properly defined roles.

59 Recruiting Risk - Failure to recruit qualified employees to ensure optimal staffing levels in a balanced workforceenvironment. Inability to attract (because of lack of brand awareness, comp & benefits etc) the right amount ofqualified employees to support the company's growth strategy.

60 Retention Risk - Failure to retain qualified employees to ensure optimal staffing levels in a balanced workforceenvironment.

61 Deployment of Human Resources - Inability to deploy the available resources in the right locations/functions tomaximize the benefit for both the company and the employee.

62 Leadership Development Risk - Inability to develop and enhance leadership skills and provide leadershipmanagement to ensure optimal achievement of organizational strategies, goals and objectives.

63 Technical Skill Development - As a result of inadequate content or deployment, poor quality training fails todeliver desired results.

64 Orientation & Training Risk - Failure to provide proper training to equip new hires with the needed knowledgeabout the organization, the job, the system, etc

65 Staff Exit Process Risk - Failure to have efficient exit process in place; exit process not enforced or not properlyenforced/monitored, resulting in poor or non-existent hand-over by the exit staff to the new hires.

66 Intellectual Property Protection (internal) - Failure to put in place a process to check/protect intellectualproperties owned by the company resulting in misuse by staff; erased/removed vital information by exitstaff/discontented staff, etc.

67 Company Spokesperson Risk - Failure to identify spokespersons who will speak on behalf of the companywhere needed especially in time of need, urgency or disastor; inadequately trained media spokespersons

68 Succession Planning Risk - Failure to create and implement a succession plan for key Company positions andemployees.

69 Compensation & Benefits Risk - Failure to compensate and provide benefits to employees that align withemployee expectations and market environment, to provide employees with incentives to perform their job functionat an optimal level - concern that the reductions caused by economic conditions (merit /bonus/401K/equity) aremore severe at JCI than other multiindustrials.

70 Employee Communications Risk - Ineffective internal communications that lead to conflicting messages, wrongdirection of operation and wastage of time and resources.

71 Knowledge Management Risk - Failure to maintain effective processes for capturing and institutionalizinglearning across the organization, resulting in slow response time, duplication, high costs, repeated mistakes orinconsistent skill sets.

72 Labor Relations - Lack of success in keeping desired level of management-union relationships. 73 Employee Relations - Failure to effectively implement and apply policies and practices to develop, maintain and

improve the relationship between the company and individual employees and groups of employees. 74 Work Life Balance Risk - Reduced staffing levels lead to extreme skill gaps ; aggravate employee pressure and

remove work life balance - high performers become overloaded and disengaged75 Changing Employee Value Propostion Risk - Risk associated with leaders that are in crisis mode versus a

focus on employee engagement; reduced compenstion and benefit package lead to a changed employee valueproposition which leads to decreased quality of employees (attract and retain hi-potentials)

Financial Risks – The risks that cash flows are not effectively managed leading to a loss in revenueshareholder value and the overall stability of the organization.

76 Capital Availability Risk - Mismanaging access to capital, threatening the organization’s capacity to grow,achieve its business goals and objectives, and meet its profit targets.

77 Interest Rate Risk - Failure to mitigate unexpected or expected fluctuations in interest rates damages theorganization’s reported earnings and capital.

78 Foreign Exchange Risk - Failure to mitigate volatility in foreign exchange rates exposes the organization toeconomic and/or accounting losses.

79 Commodities Risk - Failure to mitigate fluctuations in commodity prices exposes the organization to lowerproduct margins and/or trading losses.

80 Cash Management Risk - Failure to administer, monitor and manage cash related activities to ensure liquidity. 81 Funding Risk - Failure to meet the requirements of a portfolio of capital investments and obligations based on

specified commitments or in accordance with terms of an agreement (i.e. retirement and capital accounts). 82 Growth and Innovation Funding Risk - Failure to adequetly fund growth, innovation and sustainability initiatives

during periods of financial and market uncertainty.83 Models and Methodologies Risk - Failure to implement and apply efficient tools (i.e. hedging, insurance) which

effectively minimize significant financial losses asring from price fluctuations or other incidents and claims. 84 Credit and Collections Risk - Inability to obtain the optimal level of payment received as a result of a prior

business transaction. 85 Tax Risk - Failure to minimize tax obligations and comply with state and federal tax requirements. 86 Debt Risk - Inability to borrow money from creditors to provide adequate funding for business objectives and/or to

cover current operating or capital obligations. 87 Equity Risk - Inability to raise equity from investors to provide funding for business objectives as well as

managing the return to investors through the number and type of share offerings as well as dividends. 88 Pension Fund Risk - Incomplete and/or inaccurate information pertaining to compensation and benefits precludes

the organization from meeting its defined obligations to employees on a timely basis and results in a loss of moraleand reputation, work stoppages, litigation and additional funding requirements (e.g., pension plans, deferredcompensation plans, medical/dental plans).

89 Capital Allocation Risk - Inefficient use of funds that leads to the loss of economic value, including time valuelosses and transaction costs.

90 Insurance Risk - Inability to obtain credit insurance coverage against the risk of customer bankruptcy (companiesare withdrawing credit insurance from several US OEMs in Europe)

Legal and Compliance Risk – Risks that can affect the organization’s reputation and image causingfinancial harm to the organization.

91 Social Responsibility Risk - An absence or the mismanagement of "socially responsible" activities (e.g.,conducting social responsibility training for management of manufacturers, undertaking environmental programs,participating in community initiatives) resulting in an unfavorable Corporate perception with stakeholders,customers, suppliers, business partners, employees and the regulatory community.

92 Ethics Risk - The absence of formal standards of employee code of conduct that are intended to direct andinfluence the way business is conducted, above and beyond the letter of the law.

93 Fraud Risk - Potential unethical acts committed by Company employees or other stakeholders may negativelyimpact JCI’s reputation.

94 Contract Commitment Risk - Inability to maintain relevant and/or reliable information concerning contractualcommitments to avoid a loss of revenues to the organization. Entering into contracts that are unfavorable to JCI;and the failure to comply with and monitor contract terms to protect JCI from financial losses.

95 Liability Risk - A responsibility, duty or obligation that may result in lawful consideration to provide satisfaction,compensation or other form of restitution.

96 Regulatory Compliance Risk - Failure to act in accordance with rules, regulations, ethical standards, professional code of conduct and procedures, resulting in a negative effect on the organization’s reputation, earnings and/orshareholder equity. Failure to comply with applicable Customs regulations and specific tariffs resulting in taxcontingencies with US and/or foreign countries governments

97 Conflict of Interest Risk - Inability to avoid situations in which an employee or employees of an organization havea personal interest sufficient to, or to appear to, influence the objective execution of shareholders’ interests

98 Reporting & Disclosure Risk - Inaccurate recording and reporting of all financial transactions in the properaccounting period in accordance with existing standards. Includes the following assertions: completeness,existence, occurrence, presentation and disclosure, rights and obligations, and valuation and measurement.

99 Internal Control / SOX Risk - Significant or material weaknesses resulting from inadequate financial internalcontrols impacting management's assessment and reporting under the Sarbanes-Oxley Act.

100 Intellectual Property Rights Risk - Failure to adequately secure intellectual property and protect the same.101 Integration of Acquisitions - Failure to efficiently and effectively integrate newly acquired businesses into JCI

and our compliance and corporate governance programs.102 Onboarding of New Employees - Failure to efficiently and effectively onboard new employees when they join the

company or move from one business or location or position to another.103 Agents and Other Third Parties - Failure to perform adequate due diligence with respect to third parties with

which we have relationships and/or failure to have effective contracts and processes in place with these third parties holding them to high ethical standards.