NNPC Limited ERM Processes and Procedures PDF
Document Details
Uploaded by ReplaceableSalmon
null
Tags
Related
- NNPC Limited GRC Training and Awareness Policy PDF
- NNPC Limited ERM Processes and Procedures PDF
- Tailoring Process System Engineering Handbook PDF
- NNPC Ltd Enterprise Risk Management Processes And Procedures PDF
- Enterprise Cyber Risk Management PDF
- Certified Cybersecurity Technician Risk Management PDF
Summary
This document outlines procedures and processes for risk management within NNPC Limited. It details responsibilities of different committees, functional heads, and the ERM function to effectively identify, mitigate, and monitor risks across the organization. It covers topics like risk identification, assessment, and mitigation.
Full Transcript
NNPC Limited ERM Processes and Procedures Limited. The Board oversees risk management through the Board Audit Committee. 2. Board Audit Committee (BAC) The Committee shall: a) Assist the Board in setting an overall risk culture and appetite at the top; b) Assist the Board in overseeing the effectiv...
NNPC Limited ERM Processes and Procedures Limited. The Board oversees risk management through the Board Audit Committee. 2. Board Audit Committee (BAC) The Committee shall: a) Assist the Board in setting an overall risk culture and appetite at the top; b) Assist the Board in overseeing the effectiveness of risk management and controls through the review of periodic risk management reports; c) Discuss risk management philosophy and risk appetite d) Review the framework for managing risks and recommend to the Board for approval; e) Review the propositions of Senior Management to identify potential risk exposures and direct appropriate actions to be taken by Senior Management; and f) Empower the ERM Function to enable it to discharge its responsibilities effectively. 3. Management Risk Committee The Committee shall: a) Implement an effective risk management system and instil the right culture throughout NNPC Limited and its subsidiaries for effective risk governance; b) Ensure that the internal and external risks relevant to the organisation have been effectively identified and assessed; Page 27 of 347 NNPC Limited ERM Processes and Procedures c) Develop and implement a sound system of internal controls and mitigating strategies to bring risks within acceptable levels and threshold limits; d) Review and validate key risk indicators & threshold limits for recommendation to the BAC for approval; e) Evaluate strategic initiatives and management decisions to ensure that they are within the approved risk appetite; f) Appoint risk owners for the key risks of the organisation; and g) Ensure that risk management policies are integrated into NNPC Limited’s culture 4. Functional Heads All functional heads will be responsible for the day-to-day identification, mitigation, management and monitoring of risks within their respective departments. Specifically, they shall: a) Adhere to NNPC Limited’s process for identifying and managing risks to which they are exposed; b) Identify and report risk events to RM function; c) Report on associated risk profile and status of risk mitigating strategies to the ERM Function; d) Continuously identify, mitigate and monitor risks within their respective business areas; e) Implement policies and procedures developed to manage risks; and f) Manage day-to-day risk exposures by complying with standard operating policies and procedures. Page 28 of 347 NNPC Limited ERM Processes and Procedures Functional Heads as Risk Champions: Functional Heads shall serve as functional risk champions or appoint champions within their function who shall perform the following risk management activities: a) Act as a communication channel between the ERM Function and risk owners; b) Educate members of their team on the use of the control selfassessment questionnaires; c) Drive the implementation of risk mitigation plans within the risk register for the departments; d) Conduct risk awareness sessions at departmental meetings; e) Manage the team’s risk event database and communicate identified risks to the ERM Function ; and f) Escalate challenges with risk management efforts within their departments. Second Line of Defence – Risk Oversight The ERM Function s at NNPC Limited and its subsidiaries perform the following risk management activities: a) Perform periodic scans of the operating environment for emerging risks; b) Develop and implement the necessary tools and templates to embed ERM across NNPC Limited and its subsidiaries; c) Maintain and monitor (changes in) NNPC Limited’s risk inventory by engaging all process owners to identify risks and obtain an enterprisewide view of risks; d) Foster a corporate risk culture through adequate training and serving as an internal ambassador and resource centre for ERM; Page 29 of 347 NNPC Limited ERM Processes and Procedures e) Facilitate risk assessment and prioritization by management; f) Coordinate, review and challenge (where necessary) the input received from risk owners in identifying risks and developing comprehensive risk registers; g) Consult with process owners to identify and propose key risk indicators, threshold limits and mitigating strategies, to the Management Risk Committees for validation; h) Periodically facilitate and validate risk and control self-assessments performed by risk owners, to monitor the operational risk profile and strengthen the control environment; i) Periodically monitor and report on risk management to the BAC and Management Risk Committees. (See Appendix B for details of the Risk Reporting Framework); and j) Assist stakeholders in risk management matters and provide periodic risk advisory services to the business as may be required. Third Line of Defence – Assurance 1. Audit Function The Audit function (AF) shall provide independent assurance on the adequacy and effectiveness of controls in place for managing risks as well as compliance with policies and procedures. An external assessment of the ERM function shall be conducted by an independent third party, as part of the quality assurance review of the overall GRC function. This should be performed at least once every three (3) years. Upon separation of the IA Function from GRC, the IA Function shall conduct independent assurance reviews of the ERM Function as part of its internal audit plan. Page 30 of 347 NNPC Limited ERM Processes and Procedures 2. External Audit The External Audit Function is statutorily responsible to shareholders to provide an independent opinion on NNPC Limited’s financial statements. The function shall also report on the adequacy of the NNPC Limited’s risk management systems. 3. Regulators Regulators sometimes set and monitor the implementation of specific requirements aimed management practices at for strengthening increased Company-wide assurance of risk building a sustainable enterprise. 5. Risk Management and Stakeholder Relationships The relationship between the RM and other stakeholders is depicted in the diagram below: Board Audit Committee Rating Agencies Reporting & Analysis Risk Report Directives Business Information & Data Risk report Internal Auditors Enquiries/Au dit Report Risk report External Auditors Enquiries/Au dit Report Enterprise Risk Management Function Departments Risk Report & Risk Analysis Business Information & Data Ad-hoc Committees Page 31 of 347 NNPC Limited ERM Processes and Procedures 4.2 Objectives To identify the interrelationships that exist between the divisions, departments and functions that are relevant in the governance of enterprise risks and its accompanying roles and responsibilities. 4.3 Policies Policies S/N 1. Description NNPC Limited’s risk governance structure shall be based on the “three lines of defense” model, which ensures that risk is properly managed throughout NNPC Limited and its subsidiaries. 2. The Subsidiary Boards, Management and Subsidiary GRC function shall replicate the roles and responsibilities defined for NNPC Limited within their entities 3. ERM Organisational Structure: a) The Chief Compliance Officer shall double as the Chief Risk Officer for NNPC Limited. b) The Chief Compliance Officer shall report directly to the GCEO and have direct access to BAC on risk management activities. c) The Head of Risk Management shall primarily oversee the risk management activities of the risk management teams at the Headquarters & subsidiaries, and report directly to the NNPC Limited Chief Compliance Officer. Page 32 of 347 NNPC Limited ERM Processes and Procedures Policies S/N Description d) There shall be GRC function at each subsidiary, headed by a Subsidiary Executive Director of the GRC. The function shall report functionally to the NNPC Limited GRC through the Head of Risk Management on risk management matters. The Subsidiary Executive Director of the GRC shall also have direct access to the MD of the subsidiary and the subsidiary Board through the BAC, in line with leading practices. Page 33 of 347 NNPC Limited ERM Processes and Procedures 5.0 Enterprise Risk Management Process 5.1 Introduction This section describes the detailed steps to be adopted in managing business risks within NNPC Limited and its subsidiaries. The objectives of the risk management process described in this chapter are: a) To establish a standard for identifying, assessing, mitigating and reporting risks across NNPC Limited and its subsidiaries; and b) To ensure effective and holistic integration of leading risk management practices across NNPC Limited and its subsidiaries. NNPC Limited’s ERM process will address four major components as depicted below. Risk Management Process Page 34 of 347 NNPC Limited ERM Processes and Procedures 5.2 Risk Identification The aim of risk identification is to generate a comprehensive list of all the relevant risks that could influence the achievement of its business and strategic objectives. Regular risk identification is imperative to the success of the risk management process as it ensures the inclusion of emerging risks for consideration. Objectives To identify all key risks and opportunities that could potentially have an impact on the organisation’s objectives. Policies S/N 1. Description Management shall put systems in place to ensure that enterprise risks are reviewed at least annually and on a continuous basis. 2. The risk identification activities shall consider existing and emerging risks to ensure adequate coverage of all risks that may impact our strategic objectives and operations. 3. The ERM Function shall validate all identified risks with Management to ensure accuracy and completeness 4. All identified risks shall be documented and such documentation shall include key information including at a minimum, the nature of the risk, Page 35 of 347 NNPC Limited ERM Processes and Procedures Policies S/N Description the source of identification, the root causes, and historical or potential ways the risks impact NNPC limited Procedures S/N Responsibl e Party 1. ERM For projects: Gather and review information on project risks through the review of: Function/ Heads of Departmen ts Description a) Quality and Risk management plan b) Cost management plan c) Schedule management plan d) Scope baseline Proactive feedback from process owners on identified risks. Documentatio n Reviews f) Stakeholder register Brainstorming h) Project charter i) Feasibility study, etc. ERM Function Administering questionnaires and surveys. e) Activity cost and duration estimates g) Procurement document 2. Job Aid SWOT Analysis Workshops Risk Questionnaires Develop and agree objectives for the risk Email identification process. Office Tools Page 36 of 347 NNPC Limited ERM Processes and Procedures Procedures S/N Responsibl e Party Description Job Aid 3. ERM Gather and review information on Function existing and emerging risks. The process with the will involve performing any of the support of following activities: the process interview sessions. /Workshop. owners scanning/market intelligence analysis. c. Review of process Administerin g maps questionnaire and/or s and surveys. process documents. d. Analysis of internal and external audit Proactive feedback reports. from process owners on e. Review of risk event reports. identified f. Benchmarking against industry leading practices. Focus group discussions a. Review of industry trends and data. b. Environmental One-on-One risks. Documentati on Reviews Brainstormin g SWOT Analysis Workshops Page 37 of 347 NNPC Limited ERM Processes and Procedures Procedures S/N Responsibl e Party Description Job Aid Risk Questionnair es 4. ERM Function For projects: Gather and review information on project risks through the review of: a. Quality and Risk management plan on Reviews d. Scope baseline i. Feasibility study, etc. Interviews/W orkshops Risk Questionnair es Root Cause Analysis g. Procurement document h. Project charter SWOT Analysis e. Activity cost and duration estimates f. Stakeholder register Brainstormin g b. Cost management plan c. Schedule management plan Documentati Checklist Analysis Assumption Analysis Expert Opinion 5. ERM Review, analyse and aggregate risks Brainstorming Function identified from various risk identification Page 38 of 347 NNPC Limited ERM Processes and Procedures Procedures S/N Responsibl e Party Description with activities. This will involve streamlining support of duplicated risks and categorising risks the risk/ appropriately. process owner Job Aid The following categories can be used for categorisation: Category Definition External Risks that events arise from outside the Company’s control that can impact the business. Risks in this area include policy and regulatory uncertainty risk, and equipment loss and vandalism risk Strategic Internal risks associated with the Company’s business corporate model, strategy and long-term planning. Risks in this area include weak governance and corporate culture risk and Page 39 of 347 NNPC Limited ERM Processes and Procedures Procedures S/N Responsibl e Party Description Job Aid ineffective alliance & partnership risk Operation al Risks derived from the Company’s core business practices and support processes, which rely on systems, practices, and people. Within this risk domain are technical loss risk, network infrastructure risk and business continuity and disaster recovery risk Financial Risks associated with the Company’s ability to raise capital, maintain access to capital, contracting issues, cost of risk and evaluating vendor support. Risks in this area include credit/ collection loss risk, funding and liquidity risk Page 40 of 347 NNPC Limited ERM Processes and Procedures Procedures S/N Responsibl e Party Description 6. ERM Populate the risk register and map the Documentatio Function risks to the relevant business process. ERM Validate the risks with the process Interviews Function owners and other key stakeholders. 7. Job Aid n with support of the risk/ process owner 8. ERM Consolidate the risks identified across Documentatio Function NNPC Limited and its subsidiaries on the n risk register. Input & Output Documents S/N Document Description Type Frequen cy Source Recipient Input As required Process owners ERM Function 1. Process documents strategy Output As required ERM Function ERM Function 2. BUD and Page 41 of 347 NNPC Limited ERM Processes and Procedures Input & Output Documents S/N 3. Document Description Risk Universe Type Output Frequen cy Source Recipient As required ERM Function ERM Function and Process Owners Key Performance Indicators S/ N 1. 2. Performance Measure Basis Measurement of Frequency of enterprise risk identification Number enterprise identification Frequency of functional risk identification % of functional risk identifications conducted of risk Timeframe Target Annually Minimum of one Annually TBD Page 42 of 347 NNPC Limited ERM Processes and Procedures Page 43 of 347