NNPCL GRC quiz

Questions and Answers

What is the purpose of NNPC Limited's risk appetite?

• To guide the determination of risk appetite
• To establish a proactive ERM model
• To reduce operational surprises and losses
• To determine how much risk is acceptable (correct)

Which of these is not a key objective of risk management within NNPC Limited?

• To integrate risk management into the decision-making process
• To develop a risk culture
• To eliminate risk in NNPC activities (correct)
• To improve stakeholders' confidence and trust

What is the role of ERM in NNPC Limited?

• To reduce operational surprises and losses
• To develop and implement effective strategies
• To be an integral part of strategic and operational planning (correct)
• To integrate risk management into the decision-making process

According to the text, which of the following is NOT a parameter considered when determining the risk appetite for NNPC Limited and its subsidiaries?

Safety (A)

Who is responsible for developing and reviewing the risk appetite statements in consultation with the Senior Management Committee?

Head of Risk Management (D)

According to the text, when does NNPC Limited's risk appetite need to be re-evaluated?

All of the above (D)

What are the broad corporate objectives on which NNPC Limited would base its risk appetite?

All of the above (D)

Which of the following is NOT considered when re-evaluating NNPC Limited's risk appetite?

Changes to the Company's strategic objectives and risk preferences (C)

What does a strong risk culture within NNPC Limited lead to?

Effective management of risks (A)

What is one of the key objectives of risk management within NNPC Limited?

To achieve the Company's mission and vision (C)

Which of the following is NOT a key pillar of risk management within NNPC Limited and its subsidiaries?

Compliance (D)

Based on the text, which of the following is NOT a component of NNPC Limited's risk governance structure?

ERM stakeholder relationships (C)

Which model does NNPC Limited's risk governance structure follow?

Three lines of defense (C)

Who is authorized to grant exceptions to the application of NNPC Limited's risk management policy?

The GCEO (D)

What are the four key pillars that NNPC Limited and its subsidiaries shall adhere to in terms of risk management?

a) Leadership, b) Ownership, c) Transparency, d) Compliance (A)

What is the role of the Governance, Risk and Compliance Function within NNPC Limited?

To monitor compliance with laws, regulations, and organizational policies (B)

Who is authorized to grant exceptions to the application of NNPC Limited's risk management policy?

The GCEO (A)

Which of the following is NOT a component of NNPC Limited's risk governance structure?

The risk management committees (B)

Who is responsible for overseeing the risk management activities at NNPC Limited and its subsidiaries?

The Chief Compliance Officer (D)

What is the role of the Heads of Risk Management at NNPC Limited and its subsidiaries?

To provide risk oversight on their respective risk areas (A)

What is the purpose of NNPC Limited's risk reporting structure?

To report on the status of risk profiles to the ERM Function (B)

What is the role of Functional Heads in NNPC Limited's risk management activities?

Act as a communication channel between the ERM Function and risk owners (B)

Based on the text, what is the responsibility of the ERM Function at NNPC Limited and its subsidiaries?

Educate members of their team on the use of the control self-assessment questionnaires (B)

What is one of the key responsibilities of the Second Line of Defence in NNPC Limited's risk management?

Foster a corporate risk culture through adequate training and serving as an internal ambassador and resource centre for ERM (C)

Who is responsible for implementing an effective risk management system and instilling the right culture throughout NNPC Limited and its subsidiaries for effective risk governance?

Management Risk Committee (D)

Based on the text, what is the role of the Board Audit Committee (BAC) in relation to risk management?

Oversee the effectiveness of risk management and controls (B)

What is the responsibility of the Functional Heads in relation to risk management?

Adhere to NNPC Limited's process for identifying and managing risks (B)

Based on the text, what is the responsibility of the Management Risk Committee in relation to risk management?

Review and validate key risk indicators & threshold limits (C)

Which committee is responsible for reviewing the framework for managing risks and recommending it to the Board for approval?

Board Audit Committee (BAC) (D)

What is one of the responsibilities of the Management Risk Committee?

Develop and implement a sound system of internal controls and mitigating strategies (B)

What is the role of the ERM Function at NNPC Limited and its subsidiaries?

To implement an effective risk management system and instil the right culture throughout the organization (B)

Which of the following is NOT a category used for categorizing risks in NNPC Limited's risk management process?

External risks (D)

What is one of the activities involved in the ERM function at NNPC Limited and its subsidiaries?

Administering questionnaires and surveys (B)

Which document is NOT reviewed during the ERM process at NNPC Limited?

Risk event reports (A)

What is the purpose of populating the risk register and mapping risks to the relevant business process in the ERM process at NNPC Limited?

To identify duplicated risks (D)

Which of the following is NOT a policy related to risk identification within NNPC Limited?

Management shall put systems in place to ensure that enterprise risks are reviewed at least annually and on a continuous basis. (A)

Who is responsible for gathering and reviewing information on project risks within NNPC Limited?

The Heads of Departments (C)

Which of the following is NOT a component of NNPC Limited's risk management process?

Risk Reporting (B)

Who is responsible for overseeing the risk management activities at NNPC Limited's subsidiaries?

The Subsidiary Executive Director of the GRC (A)

Which of the following is NOT a responsibility of the Functional Heads in relation to risk management?

Implementing policies and procedures developed to manage risks (D)

Which of the following is NOT a responsibility of the ERM Function at NNPC Limited and its subsidiaries?

Consulting with process owners to identify and propose key risk indicators, threshold limits and mitigating strategies (C)

Which of the following is NOT a role of the Audit Function in NNPC Limited's risk management?

Performing periodic scans of the operating environment for emerging risks (B)

Which of the following is NOT a component of NNPC Limited's risk governance structure?

Functional Heads (D)

Which of the following is NOT a component of NNPC Limited's risk governance structure?

ERM Function (C)

What is the responsibility of the Functional Heads in relation to risk management?

Granting exceptions to risk management policy (B)

What is the role of the Governance, Risk and Compliance Function within NNPC Limited?

Ensuring compliance with risk management policy (A)

Which of the following is NOT a factor considered by NNPC Limited in assessing/ranking identified risks?

The frequency of the risks occurring (A)

Which of the following is the highest likelihood factor for a risk to occur according to NNPC Limited's risk ranking criteria?

Almost Certain (C)

What is the likelihood factor for a risk to occur if it is expected to happen at least once in every 3 years according to NNPC Limited's risk ranking criteria?

Possible (D)

According to the text, which of the following is NOT a level of risk in NNPC Limited's risk map?

Extreme (B)

According to the text, which of the following is NOT a parameter considered when determining the financial impact of an event/risk in NNPC Limited?

Extreme impact (A)

According to the text, which of the following is NOT a risk category in NNPC Limited's risk management process?

Financial (D)

According to the text, which of the following is NOT a responsibility of middle level management in relation to risk management at NNPC Limited?

Mitigating or exploiting high risks (B)

Which of the following methods is NOT mentioned as a way to assess risks within NNPC Limited's risk management process?

Desktop-based assessment (B)

What is the purpose of a control assessment within NNPC Limited's risk management process?

To evaluate the effectiveness of controls designed by management (C)

What is the description of a control rating of 'Fair' within NNPC Limited's risk management process?

There is room for some improvement (C)

What is the responsibility of the ERM Function in collaboration with business and risk owners within NNPC Limited's risk management process?

To establish and agree on the criteria for assessing risks (C)

Which of the following is NOT a factor considered by NNPC Limited in assessing/ranking identified risks?

The frequency of occurrence in a 3-year period (B)

What is the highest likelihood factor for a risk to occur according to NNPC Limited's risk ranking criteria?

Almost Certain (C)

What is the potential non-financial consequence of an event/risk occurring if a risk were to crystallise?

Impact (A)

Which of the following is NOT a type of document reviewed during the ERM process at NNPC Limited?

Performance measure basis (C)

What is the frequency at which the risk assessment pack is inputted in the ERM process at NNPC Limited?

As required (B)

Who are the recipients of the risk heat map output in the ERM process at NNPC Limited?

Board & Executive Management (D)

Which of the following is NOT a risk category used for categorizing risks in NNPC Limited's risk management process?

Market risks (B)

According to the text, which of the following is NOT a responsibility of the Management Risk Committee?

Identifying and assessing risks (C)

What is the highest likelihood factor for a risk to occur according to NNPC Limited's risk ranking criteria?

Almost Certain (D)

According to the text, what does a strong risk culture within NNPC Limited lead to?

Improved risk management (B)

Which of the following methods is NOT mentioned as a way to assess risks within NNPC Limited's risk management process?

Desktop-based assessment (B)

What is the frequency at which the risk assessment pack is inputted in the ERM process at NNPC Limited?

Annually (C)

What is the highest likelihood factor for a risk to occur according to NNPC Limited's risk ranking criteria?

High (A)

According to the text, what is the role of ERM in NNPC Limited?

Oversee risk management activities (A)

Which of the following is NOT a risk treatment approach adopted by NNPC Limited and its subsidiaries?

Avoid (C)

Under which risk treatment approach does NNPC Limited accept the risks inherent in the exposure?

Tolerate (A)

In which instances would NNPC Limited adopt the Tolerate risk treatment approach?

When the risks are low/minimal (B)

Which of the following is NOT a responsibility of the Risk Management Team at NNPC Limited?

Implementing risk mitigation plans (D)

What is the purpose of the Risk Management Framework (RMF) at NNPC Limited?

To consider the relevant risk mitigation approach for decision-making (C)

Which document is NOT an input to the ERM Function and Risk Process Owner at NNPC Limited?

Risk and Control Register (B)

What is the highest impact level according to the risk map illustration in the text?

Extreme (B)

Which of the following is NOT a component of NNPC Limited's risk monitoring and reporting process?

Status of mitigation plans (A)

Which of the following is NOT a frequency at which risk monitoring and review should be performed at NNPC Limited and its subsidiaries?

Biennially (D)

What is the purpose of key risk indicators (KRIs) in NNPC Limited's risk monitoring and reporting process?

To provide early signals of increasing risk exposures (B)

Which of the following is NOT a key component of NNPC Limited's risk register?

Level of risk (B)

What is the purpose of the external risk review within NNPC Limited's risk management process?

To identify emerging risks (D)

What information should be included in the risk event documentation within NNPC Limited's risk management process?

Description of event, root cause, severity of impact (C)

What is the responsibility of every support unit within NNPC Limited in relation to risk management?

Conduct risk and control self-assessment (D)

Which of the following is NOT included in NNPC Limited's risk management training and awareness plan?

Providing an efficient methodology for evaluating risks in the business environment (D)

What is the responsibility of the Head of Risk Management at NNPC Limited?

Developing a comprehensive training and awareness plan on an annual basis (A)

Which of the following is NOT covered in NNPC Limited's risk management training and awareness plan?

Developing a comprehensive risk management framework (B)

Which of the following options is NOT mentioned as a potential method for conducting risk management training at NNPC Limited and its subsidiaries?

Publication of quarterly bulletin highlighting ERM events (D)

What is the purpose of the risk awareness program established by the Head of Risk Management at NNPC Limited?

To raise staff awareness of the risk management policy and processes (C)

Which of the following is NOT a potential frequency for risk monitoring and review at NNPC Limited and its subsidiaries?

Quarterly (C)

Which of the following is NOT mentioned as an option for risk management training and awareness at NNPC Limited?

Regular departmental/unit chat or discussion on ERM (B)

What is the purpose of the risk awareness program established by the Head of Risk Management at NNPC Limited?

To raise staff awareness of the risk management policy and processes (D)

Which of the following is NOT a component of NNPC Limited's risk governance structure?

Functional Heads (A)

Which of the following is NOT a risk management objective mentioned in the text?

Accepting beyond specification delivery of products (A)

What is the maximum acceptable deviation from specified requirements in any given operation or project per year?

XX% (A)

What is the maximum tolerance for financial crime and non-compliance to regulatory standards mentioned in the text?

XX% on any balance sheet or P&L account (C)

What is one of the key objectives of NNPC Limited's risk management process?

To meet all financial and non-financial obligations to stakeholders (D)

What is the maximum number of instances of negative media exposure that NNPC Limited will tolerate in a year?

2 (D)

What is the maximum number of instances of asset destruction that NNPC Limited will tolerate in a year?

Less than XX (D)

What is the maximum occupational accident frequency rate (AFR) that NNPC Limited will tolerate?

Less than XX% (D)

Which of the following risk reports is prepared and issued by the Risk Management (RM) team at NNPC Limited?

Key risk indicator report (C)

Who is the recipient of the Risk Assessment report prepared by the Risk Management (RM) team at NNPC Limited?

MD/GCEO (D)

Which of the following risk reports is prepared and issued by the Risk Management (RM) team on a monthly basis at NNPC Limited?

Status of mitigation plan report (D)

Which department within NNPC Limited is responsible for monitoring and reporting on the risk control self-assessment (RCSA) within their respective business units?

Business Assurance Department (D)

According to the text, what is the purpose of the Quality Assurance Improvement Program (QAIP) at NNPC Limited?

To monitor and review risk management activities (D)

What is the meaning of the term 'GRC' in the context of NNPC Limited?

Governance, Risk, and Compliance (C)

Which of the following is NOT mentioned as a key objective of the Quality Assurance and Monitoring Function at NNPC Limited?

Enhancing the performance management metrics (C)

Which of the following models does the QA Function at NNPC Limited adopt for resourcing talents?

In-sourcing (C)

What is the purpose of the peer-to-peer review model in the QA Unit at NNPC Limited?

To bridge manning gaps (B)

How often does the GRC Function at NNPC Limited need to conduct an external assessment?

Once every three years (D)

What is the role of the QA Unit in the capacity building of GRC staff at NNPC Limited?

Monitoring execution of the training plan (B)

Which of the following is NOT one of the three major elements of the Quality Assurance and Improvement Program at NNPC Limited?

Quality Assurance Planning (D)

What is the purpose of the annual internal self-assessment conducted by the QA Unit at NNPC Limited?

To appraise the overall effectiveness of the GRC Function (D)

What does the QA Unit consider in developing the annual QA plan for ongoing internal assessments at NNPC Limited?

The outcome of the ongoing internal assessments (C)

What is the basis for selecting GRC reviews for quality assurance in the QA plan at NNPC Limited?

Risk-based approach (C)

According to the text, what is the mission of the Quality Assurance (QA) unit within the GRC Function of NNPC Limited and its subsidiaries?

To ensure compliance with the Quality Assurance Policies and procedures (C)

What is the structure of the Quality Assurance Policies and procedures?

What is the vision of the Quality Assurance and Monitoring Function within NNPC Limited and its subsidiaries?

To be regarded as a reliable business advisor to NNPC Limited and its subsidiaries (A)

What is the scope of the QA Unit within NNPC Limited and its subsidiaries?

To support the management of the GRC Function (D)

Which of the following is NOT a key performance indicator (KPI) for the People category in the Quality Assurance Unit's monitoring of the GRC Function at NNPC Limited?

Minimum training hours per GRC staff (A)

Which of the following is NOT a key performance indicator (KPI) for the Processes category in the Quality Assurance Unit's monitoring of the GRC Function at NNPC Limited?

% of reviews with cycle time from kick-off meeting to issuance of draft report within the threshold of the approved timeline (C)

Which of the following is NOT a key performance indicator (KPI) for the Plan (Efficiency) category in the Quality Assurance Unit's monitoring of the GRC Function at NNPC Limited?

Average customer satisfaction score for all processes reviewed during the year (B)

Which of the following is a key performance indicator (KPI) for the Stakeholder Management category in the Quality Assurance Unit's monitoring of the GRC Function at NNPC Limited?

Average customer satisfaction score for all processes reviewed during the year (B)

Which of the following is NOT a responsibility of the Quality Assurance Manager within NNPC Limited?

To implement and monitor compliance with the internal quality management system for enhancing the value of GRC services provided by GRC to business units. (B)

What is the objective of consolidating and standardizing the tasks and responsibilities within NNPC Limited's Quality Assurance function?

To ensure effective execution of QA reviews in line with the standards and stakeholder expectations. (B)

What is one of the overall responsibilities of the QA Unit within NNPC Limited?

To standardize GRC activities by ensuring that the policies and procedures are adequate and aligned with leading best practices. (C)

What is the responsibility of the Systems and Strategy sub-unit under QA within NNPC Limited?

To coordinate the development an annual plan highlighting the various activities to be conducted by the department. (A)

Which tool is the key tool designed to aid the quality assurance checks mentioned in the text?

QA Unit Quality Assurance Review (D)

What is the purpose of the completed QA checklist mentioned in the text?

To fill out and attach relevant documents (B)

Who is expected to make inputs into the evaluation of all teams who conducted the various GRC engagements?

QA Manager (C)

Which of the following tools is the key tool designed to aid quality assurance checks in NNPC Limited?

NNPC Quality Assurance Review (B)

What should be documented in the Quality Assurance Checklist according to the text?

Next steps for each GRC team involved in the reviews (C)

Who is expected to make inputs into the evaluation of all teams who conducted the various GRC engagements?

Manager, QA (C)

Which of the following is NOT a consideration during the planning stage of an investigation?

Confidentiality (B)

According to the text, what critical questions can a clear plan for an investigation help answer?

All of the above (D)

According to the text, why is it important for the investigation team to be flexible and prepared to address changes during the investigation?

To maintain track of the overall purpose of the investigation (D)

Which party is responsible for providing the Investigation Team with all available information regarding the case in question?

Head of Business Ethics/Relevant Function (B)

Which party is responsible for reviewing the work plan for adequacy and updating it, where applicable?

Head of Investigation Team (C)

Which party is responsible for assigning roles and responsibilities to the Investigation team members based on knowledge and expertise?

Head of Investigation Team (D)

Which party is responsible for establishing the timeframe for completing the investigation?

Head of Investigation Team (C)

According to the text, what is the purpose of a work plan in an investigation?

To detail the specific tasks and activities to be carried out in the investigation (A)

Who should be involved in the investigation team for a reported incident?

All of the above (D)

What is the recommended level of seniority for the personnel responsible for heading the investigation team?

At least one grade level higher than any individual potentially involved in the reported issue (B)

Which departments within the company may be required to provide resources for an investigation team?

Finance, Legal, Internal Audit, Human Resources Division, Information Technology (B)

According to the text, what is the responsibility of the Chief Compliance Officer in the event of a conflict of interest involving a GRC Manager?

Appoint an alternative staff to carry out the responsibilities of the GRC Manager (A)

What is one of the reasons for appointing independent investigators in an investigation?

A need for absolute confidentiality and objectivity (D)

According to the text, what should be considered when selecting external investigators for an investigation?

Reputation, integrity, capability, and experience of the investigators (A)

What is the responsibility of the Chief Compliance Officer or Head of Business Ethics in planning an investigation?

Understanding and considering professional and regulatory/legal standards (C)

Which of the following is NOT a type of information that could be required for an investigation, according to the text?

Approval documents (C)

According to the text, investigators should be cautious when gathering information for investigations because:

Information obtained from various sources may sometimes be incomplete or unreliable (B)

According to the text, investigations should be based on:

Factual findings noted during analysis of relevant information (D)

Which of the following measures should be implemented when interviewing alleged fraud perpetrators or witnesses who are employees according to the text?

Explain the allegation or reason for the interview to the employee and allow him/her to make his defense if any (i.e. fair hearing). (D)

What types of parameters can be used to analyze information gathered during an investigation according to the text?

Financial, non-financial, and visual parameters. (A)

Which of the following is NOT a component of a risk governance structure according to the text?

Bias and prejudice. (C)

Which party is responsible for conducting interviews to gather information from individuals in a position to have relevant knowledge or facts on the investigation?

The Investigation Team (D)

What should be captured per information received by the Investigation Team?

Title of information received, Time of receipt, From whom the information was received, Where the information is maintained (D)

What should be done with original documents received by the Investigation Team?

Maintain them as received without any alterations (A)

What should be done if there is non-availability of information or lack of cooperation from staff during the investigation?

Escalate to the Chief Compliance Officer (C)

Which of the following is NOT a tip for conducting interviews according to the NNPC Limited Investigation Processes and Procedures?

Take notes but do not be carried away by attempting to write all that the interviewee says. (D)

Which of the following is NOT a procedure for handling evidence according to the NNPC Limited Investigation Processes and Procedures?

Store electronic evidence in its original state at the point of obtaining it. (D)

According to the NNPC Limited Investigation Processes and Procedures, when should forced entry into premises be made?

Only within the ambits of the law, upon obtainment of the requisite lawful Order to back such entry. (B)

According to the NNPC Limited Investigation Processes and Procedures, what are the key aspects of surveillance procedures?

All of the above. (D)

Which of the following practices should be adopted during investigations to safeguard the rights of employees at NNPC Limited?

Preventing harassment or intimidation of employee during the interview (C)

What should be done when interviewing alleged fraud perpetrators or witnesses who are employees at NNPC Limited?

Explain the possible outcomes of the investigation (C)

What types of analysis can be conducted on the gathered information during an investigation at NNPC Limited?

Financial, non-financial, and visual analysis (D)

Which type of analysis involves reviewing financial information to identify anomalies and potential risk areas?

Financial Analysis (B)

What is the purpose of non-financial analysis in an investigation?

To identify patterns and trends (C)

How can visual analysis aid investigators in identifying irregular trends and relationships?

By using charts and graphs (B)

When should an escalation matrix be used in an investigation?

When the investigation team is not receiving required support (A)

According to the text, who is responsible for providing an update on the outcome of the investigation to the party who reported the suspicious incident?

Head, Investigation Team (A)

According to the text, who is responsible for preparing a weekly summary report of all investigations outstanding and completed in the previous week?

GRC Manager (A)

According to the text, what is the purpose of the Investigation file in NNPC Limited's Investigation Processes and Procedures?

To store all relevant information regarding the investigation (A)

Which of the following questions should be answered in an investigation report according to the text?

All of the above (D)

What should the Investigation Team do with information received during the course of an investigation, according to the text?

Handle it with utmost confidentiality (C)

Who is responsible for taking disciplinary action based on the factual findings captured in the investigation report, according to the text?

The Disciplinary Committee (B)

Which of the following is NOT a step in the reporting and recommendation process of an investigation, according to the text?

Reviewing the investigation report to ensure all information has been considered (C)

Who is responsible for reviewing the investigation report and updating recommendations on action(s) to take in response to the findings, according to the text?

Chief Compliance Officer (C)

Which party is responsible for updating the investigation database with the summary of internal recipients for reviews and inputs, according to the text?

Legal department (B)

Which of the following is NOT a key performance indicator (KPI) for the closure of an investigation, according to the text?

Accuracy of the investigation report (C)

According to the text, who is authorized to grant exceptions to the application of the policy and seek ratification from the NNPC Limited Board?

The GCEO (A)

How often is the NNPC Limited Policy Management Processes and Procedures manual intended to be updated, unless there is a specific requirement for an immediate revision?

Every two years (D)

Who does the NNPC Limited Policy Management Processes and Procedures manual apply to?

All employees of NNPC Limited (B)

Which of the following is NOT a component of NNPC Limited's policy management processes and procedures?

Governance and accountability structures (A)

What does the SIPOC model stand for in NNPC Limited's policy management processes and procedures?

Supplier-Input-Process-Output-Customers (A)

What is the purpose of the Relationship Map for the Efficiency Function in NNPC Limited's policy management processes and procedures?

To show the relationship between different processes and functions (D)

Which department is responsible for drafting the policy and presenting it to the Efficiency Unit and Board Committee?

User department/Process owner (B)

What is the timeframe for measuring the performance indicator 'Existence of the drivers of policy formulation'?

As required (A)

What is the basis of measurement for the performance indicator 'Use appropriate template'?

Alignment with policy template (A)

Which department is responsible for managing NNPC Limited's policies within the company?

The GCEO and Management of NNPC Limited (B)

Who has the overall responsibility for Corporate Policies in NNPC Limited?

The Board (C)

What is the objective of the policy formulation process in NNPC Limited?

All of the above (D)

Which party is responsible for driving policy implementation within the relevant business processes, according to the text?

Efficiency unit (with support of Process Owner) (B)

Who is responsible for reviewing the policy for adequacy and strategic alignment, according to the text?

Business Unit/Efficiency unit/GRC (A)

What is the minimum frequency at which the risk assessment pack is inputted in the ERM process at NNPC Limited, according to the text?

Annually (B)

Who is responsible for preparing a presentation summarizing the policy and its benefits, according to the text?

Efficiency unit (with support of Process Owner) (B)

What is the responsibility of the Head of Efficiency unit in relation to policy changes in NNPC Limited?

Review and approve draft changes to the policy template (A)

Which of the following triggers may lead to the update or renewal of NNPC Limited's policies?

All of the above (D)

Who is responsible for approving policy changes that involve any change in or impact the implementation of Company strategy in NNPC Limited?

Board and/or Approving authority (C)

Which department is responsible for drafting and presenting policies to the Efficiency Unit and Board Committee?

Business Unit (D)

How often are periodic reviews of policies conducted at NNPC Limited?

Bi-annually (A)

What is the role of the Efficiency Unit in the policy management process at NNPC Limited?

Disseminating policies (B)

What is the responsibility of the Process Owner in the policy modification process at NNPC Limited?

Preparing the business case (C)

Which of the following is NOT a purpose of NNPC Limited's Business Continuity Policy?

To establish a framework for risk management (A)

What is the purpose of NNPC Limited's Business Continuity Policy?

To ensure business continuity during disruptions (C)

What is the general approach to Business Continuity Management (BCM) described in NNPC Limited's Business Continuity Policy?

Monitoring the effectiveness of business continuity management (B)

What is the purpose of NNPC Limited's Business Continuity (BC) Policy?

To ensure the continuity of business operations during and after disruptions (A)

What does NNPC Limited's Business Continuity Policy aim to minimize?

The potential damage caused by disruptive incidents (C)

What does NNPC's general approach to Business Continuity Management (BCM) include?

All of the above (D)

Which of the following triggers may lead to the renewal or update of NNPC Limited's policies?

All of the above (D)

Who is responsible for reviewing and approving draft changes to the policy template at NNPC Limited?

Head of Efficiency unit (B)

Which level of seniority is recommended for the personnel responsible for updating and renewing NNPC Limited's policies?

Senior management (C)

Which department is responsible for retiring corporate policies at NNPC Limited?

Board Audit Committee (C)

Who is responsible for evaluating proposed updates to policies at NNPC Limited?

Efficiency unit (C)

What is the role of the Board Audit Committee (BAC) in the policy retirement process at NNPC Limited?

Approve retirement of corporate policies (A)

When should a policy at NNPC Limited be reviewed to ascertain if any modification is required?

All of the above (D)

Which of the following is NOT a component of NNPC Limited's Business Continuity Policy?

Framework for managing disruptive incidents (B)

What is the purpose of NNPC Limited's Business Continuity Policy?

To establish guidelines for business resilience and risk management measures (C)

Which department is responsible for drafting NNPC Limited's Business Continuity Policy?

Efficiency Unit (C)

Which of the following is NOT covered by the scope of NNPC Limited's Business Continuity Policy?

Financial transactions (B)

What is the purpose of Business Continuity Management at NNPC Limited?

To ensure time-sensitive operations are resumed and recovered (A)

Which of the following events may have regional or nationwide impact, rendering multiple NNPC facilities inaccessible?

Pandemics (A)

Which of the following is NOT a goal of NNPC Limited's Business Continuity Management (BCM) program?

Ensure that BC plans are regularly tested and updated to meet the changing needs of the company (D)

What is the purpose of providing awareness on business continuity to all employees and relevant external parties?

To ensure that all employees and relevant external parties are aware of the importance of business continuity (B)

What is the responsibility of the Systems and Strategy sub-unit under Quality Assurance (QA) within NNPC Limited?

To evaluate the relevance and effectiveness of business continuity programs (A)

What is the responsibility of the Crisis Management Team (CMT) at NNPC Limited?

Develop, review, and update the crisis management plan (A)

What is one of the key responsibilities of the Incident Management Team at NNPC Limited?

Monitor and detect early signs of an emergency (D)

What is the purpose of defining and assessing key roles and responsibilities in establishing a business continuity programme?

To establish a successful business continuity programme (D)

Which of the following is NOT a responsibility of the Business Continuity Manager at NNPC Limited?

Implement emergency measures and contingency plans (B)

What is the role of the Business Continuity Champions (Emergency Response/Business Recovery Team) at NNPC Limited?

Support the implementation and adoption of business continuity requirements within their departments (A)

What is the responsibility of the Information Technology Team (Technical Recovery Team) at NNPC Limited?

Management of related processes such as incident and change management (A)

What is the responsibility of the Department Managers in relation to business continuity at NNPC Limited?

Review and manage staff competencies and training needs to enable staff to perform their roles effectively within the business continuity area (D)

Which of the following is NOT a reason for updating the Business Continuity Plans?

Acquisition of new oil and gas reserves (C)

Who is responsible for reviewing and updating the Business Continuity Plans annually?

Business Continuity Manager (D)

What should be done after identifying changes in business arrangements that have not yet been reflected in the Business Continuity Plan?

Update the plan (A)

Which of the following is NOT a responsibility of NNPC in relation to its Business Continuity Plan?

Conducting a risk assessment to identify potential interruptions (D)

Who are considered key stakeholders in NNPC's Business Continuity Management (BCM) program?

Group Chief Executive Officer (A)

What is the purpose of the Business Impact Analysis (BIA) process?

To identify and rank critical business processes and downtime costs (B)

What is the frequency of reviewing and updating the Business Impact Analysis (BIA) and Risk Assessment (RA) processes?

Every year (B)

Which of the following is the primary objective of NNPC's Business Continuity Policy?

To reduce or address substantial business disruptions affecting its critical business operations (C)

What is the purpose of the Competency and Training Requirements mentioned in the text?

To identify training needs and maintain a plan to ensure necessary competencies are in place (C)

What is the purpose of the NNPC Business Continuity Policy?

To reduce or address substantial business disruptions affecting its critical business operations (D)

Which of the following is NOT a component of the business continuity planning process mentioned in the text?

Contact lists of all suppliers, external dependencies, and personnel identified with roles and responsibilities, as well as alternate and escalation contacts. (C)

What is the purpose of testing the Business Continuity Plans (BCPs) according to the text?

To ensure that NNPC is adequately prepared to execute a credible recovery in the event of a real incident. (B)

How often should the Business Continuity Plans (BCPs) be reviewed?

Annually (D)

What is the responsibility of the owners of the appropriate business resources or processes involved in the business continuity planning process?

To be responsible for emergency procedures, manual fallback plans, and resumption plans. (D)

Which of the following is NOT a term/abbreviation mentioned in the glossary of terms in the text?

BCP (C)

Which of the following is NOT a stakeholder mentioned in NNPC Limited's due diligence policy?

Competitors (A)

Which of the following is NOT a purpose of NNPC Limited's due diligence processes?

Enhancing customer satisfaction (A)

Who is responsible for overseeing the due diligence review process at NNPC Limited?

Chief Compliance Officer (C)

Who administers the due diligence process at NNPC Limited?

GRC Manager (A)

Who makes recommendations to approve or reject the business relationship at NNPC Limited?

GRC Manager (D)

Who performs the initial risk categorization at NNPC Limited?

LOD 1 (C)

Which organization is responsible for the lift and sale of royalty oil and tax oil on behalf of the Nigerian Upstream Regulatory Commission and the Federal Inland Revenue Service?

NNPC Limited (B)

What is the purpose of the Frontier Exploration Fund?

To manage the proceeds of the sales of profit oil and profit gas (D)

Who is responsible for carrying out test marketing to ascertain the value of crude oil?

NNPC Limited (A)

What is the role of NNPC Limited in promoting the domestic use of natural gas?

To develop and operate large-scale gas utilisation industries (A)

Which of the following is considered a Third Party in the context of NNPC Limited's Due Diligence Policy?

Counterparties (A)

What is the objective of NNPC Limited's Due Diligence Policy?

To assess and mitigate risks in business decisions (A)

What is the definition of 'Beneficial Owner' according to NNPC Limited's Due Diligence Policy?

The natural person(s) who ultimately owns or controls a legal entity (C)

What does 'KYC' stand for in the context of NNPC Limited's Due Diligence Policy?

Know Your Customer (C)

Which of the following factors is NOT considered when determining the risk rating of an employee's job role at NNPC Limited?

The employee's level of education (B)

Which of the following is responsible for performing the initial risk categorization based on the General IDD and EDD at NNPC Limited?

LOD 1 (C)

What are the possible risk categories at NNPC Limited?

High, Medium, or Low (A)

Which of the following is NOT a requirement for Level C due diligence according to the text?

Negative findings and litigation (A)

What is one of the factors considered when assessing the financial strength of a prospective partner according to the text?

Leverage and profitability ratios (B)

What type of information is NOT mentioned as potentially required for an investigation according to the text?

Comprehensive credit report (A)

Which type of due diligence is conducted on third parties providing services classified as low risk at NNPC Limited?

Level A (D)

What is the risk classification that would require weighty reasons and an extensive EDD proportionate to the risk at NNPC Limited?

High Risk (B)

Which risk classification at NNPC Limited may not move forward with the proposed activity unless there exist substantial reasons for continuing with the project?

High Risk (C)

What does a high-risk counterparty at NNPC Limited being listed on a Sanctions List indicate?

The counterparty is/has been a subject of criminal investigations, charges, or convictions for serious wrong doings. (C)

Which of the following is NOT a component of NNPC Limited's general integrity due diligence review?

Conducting a Level A general integrity review (D)

What is the purpose of the general integrity due diligence review conducted by NNPC Limited?

To assess the purpose and economic rationale of the counterparty's dealings (B)

What is the purpose of reviewing sanctions lists as part of the general integrity due diligence review conducted by NNPC Limited?

To identify individuals and entities involved in fraud, corruption, terrorism, human rights violations, money laundering, terrorist financing, tax evasion, etc. (D)

According to the text, what is the purpose of pre-employment screening for potential or new employees of NNPC Limited?

To conduct reference and background checks (D)

What is the basis of risk classification for existing or prospective customers of NNPC Limited?

Level of risk associated with the business relationship (C)

What type of due diligence must be conducted on customers identified as medium to high risk before any business transaction?

Enhanced due diligence (C)

What should the relevant unit establish, record, maintain, and operate procedures and controls for in respect of new customers or occasional transactions?

Obtaining information on the nature and intended purpose of the business relationship (B)

Which of the following statements is true about NNPC Limited's due diligence procedure for doing business with third-party service providers and suppliers?

NNPC Limited conducts due diligence on potential third parties before commencing business relationships. (C)

What is the purpose of NNPC Limited's due diligence procedure for doing business with third-party service providers and suppliers?

To evaluate and manage potential corruption risks associated with the business relationship. (C)

What is the minimum required due diligence procedure for doing business with certain third-party service providers and suppliers at NNPC Limited?

Conducting background checks on potential third parties. (D)

Which of the following is NOT a factor considered in the assessment of Politically Exposed Persons (PEPs) linked to the counterparty or the relevant NNPC Limited activity?

Recommendations from FATF (A)

What is the purpose of conducting a contingency measures review at the outset of any business relationship?

To identify exit risk indicators and assess possible contingency measures (A)

Which of the following is NOT a mitigating measure that could be applied in the event of an identified risk?

Reporting or audit requirements (B)

When is an Enhanced Due Diligence (EDD) review carried out by the GRC team or an external provider?

If the integrity review indicates a High Risk (D)

How often should recertifications be performed on vendors and third-party service providers in existing contracts at NNPC Limited?

Every two years (C)

Which of the following is NOT a requirement for third parties that undertake regulated business on behalf of NNPC Limited?

Registration with a renowned professional organization (B)

What types of processes may NNPC Limited use to perform ongoing monitoring of its counterparties?

All of the above (D)

Which of the following is NOT a responsibility of the GRC Division/Chief Compliance Officer at NNPC Limited?

Reviewing and updating the Business Impact Analysis (BIA) and Risk Assessment (RA) processes (B)

What is the minimum educational requirement for the GRC Manager or other relevant officers responsible for implementing the Due Diligence Policy at NNPC Limited?

Bachelors' Degree in Economics (D)

How long should the findings of the Risk monitoring be archived for future reference?

Five (5) to ten (10) years (D)

Who is responsible for reviewing the Due Diligence Policy at NNPC Limited every two (2) years and submitting recommendations to the Board of Directors for any necessary amendments or revisions?

Board Audit Committee (C)

Flashcards

Risk Appetite

The amount of risk NNPC Limited is willing to take to achieve its goals.

Key Objective of Risk Management

The primary goal of risk management is to identify, evaluate, and minimize risks that could hinder NNPC Limited's objectives.

Broad Corporate Objectives

NNPC Limited's risk appetite is based on these broad corporate objectives: strategic, financial, operational, and compliance.

Enterprise Risk Management (ERM) Function

This function is responsible for developing and executing the risk management framework within NNPC Limited.

Risk Management Framework

The framework is structured around the three lines of defense model: First line – operational management, Second line – risk and compliance functions, Third line – internal audit.

Governance, Risk and Compliance Function

This function oversees the risk management activities across NNPC Limited and its subsidiaries.

Risk Governance Structure

This structure includes the Board of Directors, the Management Risk Committee, Heads of Risk Management, and Functional Heads, all playing a role in risk governance.

Board of Directors' Role in Risk Management

The Board is responsible for reviewing and approving the overall risk management framework.

Management Risk Committee's Role

This committee reviews the risk management framework and recommends it to the Board for approval.

Risk Management Process

The process involves identifying, assessing, and mitigating risks within the organization.

Risk Assessment

This step entails identifying, assessing, and prioritizing risks based on their likelihood and impact.

Risk Treatment

This step involves choosing and implementing strategies to minimize the identified risks.

Risk Monitoring and Reporting

This process ensures continuous tracking and reporting on risk mitigation efforts.

Key Risk Indicators (KRIs)

These indicators are used to monitor and report on risks, providing insights into the effectiveness of mitigation strategies.

Risk Management Framework Review

The framework undergoes a comprehensive review and necessary updates on an annual basis.

Risk Management Training and Awareness

This plan is designed to educate employees on risk management principles and practices.

Risk Management Training and Awareness Plan

The plan incorporates training programs, workshops, and awareness campaigns to enhance risk management understanding.

Risk Awareness Program

This program promotes a proactive risk-aware culture within the organization.

Head of Risk Management's Role

The Head of Risk Management is responsible for developing and implementing the risk management framework.

Heads of Risk Management in Subsidiaries

Heads of Risk Management at NNPC Limited and its subsidiaries are responsible for overseeing risk management activities.

Functional Heads' Role

Functional Heads ensure risk management practices are implemented effectively within their respective departments.

Risk Management Policy

This policy outlines NNPC Limited's approach to risk management.

Risk Management Policy Review

The policy undergoes regular review and updates annually to reflect changing circumstances and best practices.

Risk Management Policy Exceptions

The Board of Directors has the authority to approve exceptions to the risk management policy.

Risk Management Exception Approval

Exceptions are granted on a case-by-case basis after careful consideration.

Risk Management Categories

Risks are categorized based on their likelihood and impact, with three categories: high, medium, and low.

Risk Prioritization

Risks are prioritized based on their likelihood and impact, with higher priority given to those with a high likelihood and impact.

Risk Management Parameters

The risk management framework considers several parameters, including risk appetite, tolerance, and threshold, to determine acceptable risks.

Risk Management Frequency

Risk management activities are performed at various frequencies, ranging from quarterly to annually, based on the organization's risk appetite and tolerance.

Risk Management Tools

Various tools, such as risk assessment templates, registers, and key risk indicators (KRIs), are used to identify, assess, and mitigate risks.

Risk Management Review

The risk management framework undergoes an annual review by the Management Risk Committee to ensure its effectiveness.

Study Notes

Risk Appetite and Objectives

• NNPC Limited's risk appetite is the amount of risk the organization is willing to accept to achieve its objectives.
• The key objective of risk management is to identify, assess, and mitigate risks that could impact the achievement of NNPC Limited's objectives.
• The broad corporate objectives on which NNPC Limited's risk appetite is based include strategic, financial, operational, and compliance objectives.

Risk Management Framework

• The Enterprise Risk Management (ERM) function is responsible for developing and implementing the risk management framework.
• The risk management framework is based on the three lines of defense model.
• The Governance, Risk and Compliance Function is responsible for overseeing the risk management activities at NNPC Limited and its subsidiaries.

Risk Governance Structure

• The risk governance structure consists of the Board of Directors, Management Risk Committee, Heads of Risk Management, and Functional Heads.
• The Board of Directors is responsible for reviewing and approving the risk management framework.
• The Management Risk Committee is responsible for reviewing the risk management framework and recommending it to the Board for approval.

Risk Management Process

• The risk management process involves identifying, assessing, and mitigating risks.
• The risk assessment process involves identifying and assessing risks, and prioritizing them based on their likelihood and impact.
• The risk treatment process involves selecting and implementing risk mitigation strategies.

Risk Monitoring and Reporting

• The risk monitoring and reporting process involves tracking and reporting on risk mitigation efforts.
• Key risk indicators (KRIs) are used to monitor and report on risks.
• The risk management framework is reviewed and updated annually.

Risk Management Training and Awareness

• The risk management training and awareness plan is designed to educate employees on risk management principles and practices.
• The plan includes training programs, workshops, and awareness campaigns.
• The risk awareness program is designed to promote a risk-aware culture within the organization.

Risk Management Roles and Responsibilities

• The Head of Risk Management is responsible for developing and implementing the risk management framework.
• The Heads of Risk Management at NNPC Limited and its subsidiaries are responsible for overseeing risk management activities.
• Functional Heads are responsible for implementing risk management practices within their respective departments.
• The ERM Function is responsible for developing and implementing the risk management framework.
• The Management Risk Committee is responsible for reviewing and approving the risk management framework.

Risk Management Policy

• The risk management policy outlines the organization's approach to risk management.
• The policy is reviewed and updated annually.
• The policy is approved by the Board of Directors.

Risk Management Exceptions

• The Board of Directors is authorized to grant exceptions to the application of the risk management policy.
• Exceptions are granted on a case-by-case basis.

Risk Management Categories

• Risks are categorized based on their likelihood and impact.
• The categories include high, medium, and low risks.
• Risks are prioritized based on their likelihood and impact.

Risk Management Parameters

• The risk management framework considers several parameters, including the organization's risk appetite, risk tolerance, and risk threshold.
• The parameters are used to determine the acceptable level of risk for the organization.

Risk Management Frequency

• Risk management activities are performed at various frequencies, including quarterly, bi-annually, and annually.
• The frequency of risk management activities depends on the organization's risk appetite and risk tolerance.

Risk Management Tools

• Several tools are used in the risk management process, including risk assessment templates, risk registers, and key risk indicators.
• The tools are used to identify, assess, and mitigate risks.

Risk Management Review

• The risk management framework is reviewed annually.
• The review is performed by the Management Risk Committee.
• The review is used to update the risk management framework and ensure it remains effective.