SUSTAINABILITY ACCOUNTING STANDARDS BOARD (SASB) CONTENT INDEX

The Booz Allen Hamilton 2023 Environmental, Social, Governance (ESG) Report ("FY23 ESG Report") has been prepared in accordance with the Sustainability Accounting Standards Board (SASB) Index: Professional and Commercial Services subset Version 2023-06. SASB standards are designed to identify a set of sustainability issues most likely to impact the operating performance or financial condition of the typical company in an industry, regardless of location. Topics that may be deemed material under the SASB Standards are not necessarily material for purposes of the U.S. federal securities laws or for other purposes. For additional information on the SASB Standards, please visit the SASB Standards website.

CODE METRIC LOCATION AND/OR DISCUSSION
Data Security
SV-PS-230a.1 Description of approach to identifying and addressing data security risks

FY23 ESG Report; Drive Community Resilience, Cybersecurity & Data Privacy (Pages 46-47)

FY23 ESG Report; Corporate Governance, Ethics & Compliance (Pages 53-54)

FY23 ESG Report; Corporate Governance, Enterprise Risk Management; Supply Chain Management (Page 55)

FY23 Annual Report on Form 10-K; Part I, Item 1A, Risk Factors (Pages 15-16, 21-24)

We safeguard information and technology assets in order to prevent harm to our employees, our enterprise, our clients, and those whose information or assets are entrusted to us.

Our Board's Audit Committee, which is tasked with oversight of certain risk issues, including cybersecurity, receives reports from the Chief Information Security Officer and the Chief Information Officer multiple times throughout the year. The Audit Committee regularly briefs the full Board on these matters, and the full Board also receives periodic briefings on cyber threats in order to enhance our directors' literacy on cyber issues.

At the enterprise level, Information Services, Security, Enterprise Risk Management, Legal, Ethics and Compliance, and related advisory bodies engage in the following, among other activities, designed to protect sensitive information with which we come into contact:

  • Track systems integration effectiveness, efficiency, and data integrity.
  • Manage incidents through identification, investigation, and remediation with maintenance and annual testing of incident response plans and procedures, including regularly conducted tabletops and after-action walk-throughs for continuous improvement.
  • Collect, consume, and distribute cyber threat intelligence reporting.
  • Maintain partnerships within the information security community.
  • Support compliance with relevant security and control plans and guidance and conduct annual risk assessments and external audits, including external annual compliance assessments against the NIST 800-171 requirements.
  • Facilitate both internal and external collaboration for intelligence sharing.
  • Promote organizational effectiveness through employee training.
  • Proactively search for vulnerabilities and attackers utilizing automated and manual techniques.
  • Conduct adversary emulation exercises using both in-house and external professionals without notice to threat defenders to continuously test our defend and respond capabilities.
  • Advise on standards for firm storage and cloud computing and client delivery environments.
  • Maintain secure facilities up to Top Secret and Sensitive Compartmented Information Facilities accredited by various agencies.
  • Advise on enterprise and entrusted asset privacy and international trade compliance, brand use and protection requirements, and intellectual property protection.
  • Advise on public reporting requirements and treatment of material nonpublic information.

Every Booz Allen person is responsible for doing their part to maintain the integrity, proper use, and handling of information. All employees are required to participate in annual information security training on a variety of topics, including data privacy, phishing, and other emerging issues. We offer additional training, depending on an employee's job function, to make sure they are equipped to respond in a rapidly evolving cyber threat landscape.

For security related questions or concerns contact:

  • Cyber Incident Response Team ([email protected] or 703-984-1933) for observed or suspected information security incidents.
  • Security Services ([email protected]) for security for safety concerns.
SV-PS-230a.2 Description of policies and practices relating to collection, usage, and retention of customer information

FY23 ESG Report; Drive Community Resilience, Cybersecurity & Data Privacy (Pages 46-47)

Our standard information security and data security policies, practices, and procedures apply to all Booz Allen entities, including wholly owned subsidiaries, as well as all cleared Booz Allen facilities and their employees. To enhance both specificity and flexibility, we supplement those standard procedures with additional protocols specific to the needs of a location, client, or engagement. We also evaluate the security policies and practices of our suppliers and business partners.

Our data privacy policy outlines our commitment to the protection of personal information and sets forth retention and deletion requirements. We also recognize, respect, and seek to achieve compliance with applicable laws of foreign nations.

Booz Allen people are bound by confidentiality obligations and policy requirements that apply when they collect, receive, use, process, store, destroy, or disclose information, and we have a robust investigation and disciplinary process in place to respond to noncompliance. But the nature of our work and our corporate values require more than just compliance. It is up to every Booz Allen employee to create connections, establish relationships, and build trust within teams. We support our employees with an ecosystem of services, programs, training, and tools designed to prevent, bring to light, and mitigate potential risk situations.

See also:

Compliance with International Trade Regulations Policy

Data Privacy Policy

Code of Business Ethics and Conduct (Page 16)

Supplier Code of Conduct; 10. Information Governance
SV-PS-230a.3
  1. Number of data breaches,
  2. percentage involving customers' confidential business information (CBI) or personally identifiable information (PII),
  3. number of customers affected

FY23 ESG Report; Drive Community Resilience, Cybersecurity & Data Privacy (Pages 46-47)

Booz Allen has not reported any material data breaches in the reporting period.

See also:

Data Privacy Policy
Workforce Diversity & Engagement
SV-PS-330a.1 Percentage of gender and racial/ethnic group representation for
  1. executive management and
  2. all other employees

FY23 ESG Report; Empower Diverse Talent, Diversity, Equity, & Inclusion, Booz Allen Employees at a Glance (Page 15)

FY23 ESG Report; Corporate Governance, Board of Directors (Page 52)

FY23 ESG Report; Booz Allen's Workforce Metrics FY23 (Page 59)

FY23 Annual Report on Form 10-K; Part I, Item 1, Human Capital Management (Page 4)

Refer to Booz Allen's Workforce Metrics FY23 on page 59 of our FY23 ESG Report for the percentage of gender and racial/ethnic group representation for our total workforce, senior leadership, and all other employees.

See also:

Booz Allen's Diversity, Equity, and Inclusion Program

Equal Employment Opportunity and Affirmative Action Policy

Code of Business Ethics and Conduct (Page 14)

Total Rewards Program
SV-PS-330a.2 (1) Voluntary and (2) involuntary turnover rate for employees

FY23 ESG Report; Booz Allen's Workforce Metrics FY23 (Page 59)

FY23 Annual Report on Form 10-K; Part I, Item 1, Human Capital Management (Page 4)

We do not report aggregate voluntary and involuntary annual turnover rates as that information as it is Booz Allen confidential information. Consistent with our commitment to diversity, equity, and inclusion, we do report the percentages of new hires and departures by demographic categories on page 59 of our FY23 ESG Report.
SV-PS-330a.3 Employee engagement as a percentage

FY23 ESG Report; Empower Diverse Talent, Employee Engagement (Pages 21-24)

FY23 ESG Report; Empower Diverse Talent (Pages 12-31)

FY23 ESG Report; Empower Diverse Talent, Talent Development (Pages 19-20)

FY23 Annual Report on Form 10-K; Part I, Item 1, Employee Engagement (Page 4)

We conduct an annual Employee Experience Survey, which measures, among other factors, our employees' impression of the inclusiveness of our work environment. The survey results provide insights into how employees experience Booz Allen and our culture, helping our leaders better understand areas of opportunity and areas for greater attention. We engaged with employees to understand how we could best help them, including maintaining a robust benefits program, financial and job security, enhanced caregiver support, and telework resources. In our FY23 Employee Experience Survey, 86% of Booz Allen people said the firm helps them build relevant skills, and 84% of Booz Allen people said the firm supports their professional development.

We do not disclose employee engagement as a percentage; however, the references provided include discussions of our practices.
Professional Integrity
SV-PS-510a.1 Description of approach to ensuring professional integrity

FY23 ESG Report; Corporate Governance, Ethics & Compliance (Pages 53-54)

FY23 ESG Report; Corporate Governance, Supply Chain Management (Page 55)

Ethics and Compliance Program

Code of Business Ethics and Conduct

Our employees are required to complete annual training on our Code of Business Ethics and Conduct. Additionally, our Code expresses our expectation that all our business partners, including subcontractors, suppliers, vendors, and business intermediaries, operate in a manner that is consistent with our commitment to diversity, integrity, and sustainability. We have audited our ethics program across our global operations through program assessments generally occurring on a three-year cadence.

Read more about our approach to professional integrity in the following sources:

Our Purpose and Values

Supplier Code of Conduct

Ethics & Compliance Policies

FY23 Annual Report on Form 10-K; Part I, Item 1, Human Capital Management (Pages 4-6)
SV-PS-510a.2 Total amount of monetary losses as a result of legal proceedings associated with professional integrity

We address and resolve all issues associated with professional integrity. Booz Allen has not incurred monetary losses during the reporting period as a result of material legal proceedings associated with professional integrity.
Activity Metrics
SV-PS-000.A Number of employees by: (1) full-time and part-time, (2) temporary, and (3) contract

Refer to the FY23 ESG Report, Booz Allen's Workforce Metrics on page 59 for information on our permanent employees as of March 31, 2023. Of these, 653 were part time. In addition to our permanent employees, 4,555 of our workers were temporary/independent contractors.

SV-PS-000.B Employee hours worked, percentage billable

The company monitors all hours worked by employees. We do not report total number of employees hours worked or percentage billable as it is Booz Allen confidential information.

See also:

Code of Business Ethics and Conduct (Page 26)

Data in this report primarily reflects performance and operations during our 2023 fiscal year, which ended March 31, 2023. Unless otherwise noted, references to years or fiscal years are those ending on March 31.
Descriptions of our practices, policies, and programs may reflect more current information, where appropriate in the circumstances.