Risk Management at NNPC Limited

Second Line of Defence – Risk Oversight

• The ERM Function at NNPC Limited and its subsidiaries performs various risk management activities, including:
  • Periodic scans of the operating environment for emerging risks
  • Developing and implementing tools and templates to embed ERM
  • Maintaining and monitoring the risk inventory by engaging process owners
  • Fostering a corporate risk culture through training and serving as an internal ambassador
  • Facilitating risk assessment and prioritization by management

ERM Processes and Procedures

• The ERM Function is responsible for:
  • Coordinating and reviewing risk input from risk owners
  • Identifying and proposing key risk indicators, threshold limits, and mitigating strategies
  • Periodically facilitating and validating risk and control self-assessments
  • Monitoring and reporting on risk management to the BAC and Management Risk Committees

GRC Function

• The GRC Function is responsible for:
  • Coordinating budgeting and financial administrative activities
  • Overseeing the resourcing of staff, including job rotation and management development programs
  • Developing SMART performance metrics to drive and improve the effectiveness and efficiency of the Function
  • Coordinating the development of standardized policies, procedures, and manuals

Quality Assurance Processes and Procedures

• The Mission of the QA Unit is to provide assurance that all GRC activities have been conducted in accordance with standard practices across NNPC Limited and its subsidiaries.
• The QA Unit shall support the management of the GRC Function to coordinate quality assurance activities.
• The QA Unit shall cover NNPC Limited and its subsidiaries.

Structure of the QA Unit

• The QA Unit reports to the Head of Global Compliance and ultimately to the Chief Compliance Officer.
• The Quality Assurance Manager is responsible for implementing and monitoring compliance with the internal quality management system.

Objective and Policy

• The objective is to consolidate and standardize the tasks and responsibilities to ensure effective execution of QA reviews in line with standards and stakeholder expectations.
• The QA Unit shall collaborate with an external assessor every three years to assess the GRC Function within NNPC Limited.

Key Performance Indicators (KPIs)

• The QA Unit shall be responsible for monitoring the KPIs for the GRC Function, which include:
  • Staff satisfaction, retention, and quality of development
  • Percentage of certified staff
  • Training cost as a percentage of GRC budget
  • Minimum training hours per GRC staff
  • Minimum number of GRC staff rotated into the business in one year
  • Minimum number of process owners rotated into GRC in one year
• The QA Unit shall report the KPIs to GRC leadership annually.

QA Planning and Resourcing Strategy

• The QA Unit shall develop an annual plan for ongoing internal assessments and define the approximate resources and strategy necessary to accomplish the scope.
• The QA plan shall ensure that at least one GRC engagement review from each subsidiary and one GRC engagement within each division at NNPC Limited is selected for quality assurance in each calendar year.